QuickBooks Impersonated in Invoice Fraud Scheme

December 1, 2020

Quickbooks is popular accounting software that also supports the management of essential business functions such as payroll, billing, and invoicing. Its widespread use, especially among small businesses, has made it a target for impersonation among attackers trying to steal valuable information from unsuspecting employees.

In this attack, scammers impersonate QuickBooks to steal valuable credential information from their target.

Summary of Attack Target

  • Platform: Office 365
  • Payload: Link
  • Technique: Spoofing / Impersonation

Overview of the QuickBooks Impersonation Attack

In this email, the attacker impersonates Quickbooks and sends a fake invoice from a supposed vendor that the recipient is meant to pay. They use spoofing to bypass traditional mail filters and gain legitimacy in the eyes of the recipient.

Although the email appears to originate from “quickbooks@notification.intuit.com”, the headers reveal that the true sender domain is “airtelbroadband.in”, which fails DMARC authentication. The email prompts the recipient to “Review and Pay” by clicking on the indicated button, leading them into the attacker’s phishing trap.

The “Review and Pay” button provided by the attacker disguises a malicious link, redirecting the recipient to “http://parkburgerkuwait.com/lo...”. While the landing page for this particular link has been removed, in the past we have seen similar attacks that lead to realistic sign-in pages asking for the user’s credentials to access the invoice.

If the victim does not pay close attention to the URL of the “sign-in page", they could easily fall into this trap and release their credentials to the attacker. The email looks legitimate, with sophisticated formatting and links at the bottom that lead to legitimate Quickbooks resources. The only way the recipient could catch the attack is by looking closely at the landing page link, and because businesses receive a high volume of Quickbooks emails, it is possible or even likely that they would quickly skim over the details and miss this crucial piece of information.

If the recipient falls victim to this phishing attempt, they will compromise their QuickBooks credentials and open up their company to a possible breach. Additionally, if the recipient does not realize their mistake, they may become a target of more of these fraudulent attacks in the future.

Why the QuickBooks Impersonation Attack is Effective

This email was received on the same day that the invoice is supposedly due, motivating the recipient to act quickly in paying off this debt. The attacker specifically asks the recipient for a “prompt payment” to increase this sense of urgency, hoping that, in their haste, the victim will overlook the suspicious landing page link.

It is also expertly framed, with Inuit Quickbooks logos and links meant to distract from the malicious link vector. Additionally, the email states at the bottom to check with the business owner before paying to avoid fraud, giving the recipient a false sense of security as it seems counterintuitive for an attacker to warn their target about their potentially malicious email.

Abnormal determined that this email was malicious due to the unusual sender, suspicious link, and the unusual financial request, understood in the body of the email. Additionally, Abnormal knows that QuickBooks impersonations are widespread across all industries. We have seen nearly 900 of these particular attacks in the mailboxes of over 20 different customers and we expect the rate of these attacks to rise with the continued growth in usage of QuickBooks’ online services.

To learn how to protect your organization from QuickBooks and other impersonations, see a demo today.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More