Quickbooks users under attack as tax season heralds data-theft surge

Quickbooks, the popular accounting software package, is under attack by a number of different hacking organizations utilizing various attack vectors, one which takes advantage of a cybersecurity design flaw within Quickbooks itself. Tax season is usually a busy one for cybercriminals. With Quickbooks’ proliferation as the go-to accounting platform for SMBs, their choice of target was an obvious one.

The attack campaign, in general, is centered around spear phishing. The targets are not selected randomly; instead, the hackers have carried out research in selecting specific companies. The bulk of this has been done on websites like LinkedIn. Individuals in a company may have their email addresses displayed; these addresses are usually added to a larger attack database for the hackers to use.

Researchers at ThreatLocker encountered the issue this week and identified 3 main attack vectors.

For the first vector, the hackers will send a PowerShell command that runs inside an email. The second is something a little more familiar; an email containing a Microsoft document. Once the document is opened, a macro within will execute. Both vectors run a similar Malware executable that is just 15 lines of code.

When either vector is used successfully, the malware will find out most recently saved Quickbooks files and points them to file share or the local directory. From here, they are uploaded to the hackers servers.

The third attack vector differs from the others as it doesn’t require the user to download Malware; instead, the hackers have taken advantage of a design flaw in Quickbooks cybersecurity. The hacker can run an Invoke-WebRequest, which utilizes weak access permission in the Quickbooks database to capture details. An Invoke-WebRequest is simply a PowerShell command that scrapes details from a webpage or server.

ThreatLocker successfully tracked much of the stolen data back to the Dark Web, where it is being sold as a commodity. Researchers found data on sale for as cheap as $100 for 100 corporate databases. The price has risen into the thousands for a clean database with full financial information.

As for what is being done with the sold data, it could take several forms. The attack is still on-going, so we will likely not know its full extent until later this year.

One such result of the sold data that has been revealed is a classic bait-and-switch social engineering scam. Once a hacker has garnished enough information about a company and their invoices from their Quickbooks database, they use it for other spear-phishing campaigns. Some that have already been reported involved emailing a customer disguised as a supplier and requesting a payment transfer to a new bank account. Another example involves sending an email from an address that appears to be a known supplier, partner, or customer and requesting a bank transfer.


Quickbooks Security Design Flaws



Quickbooks is not a newcomer to the accounting software scene and has been available for decades. Recent releases, notably Quickbooks 2019 and Quickbooks 2020, emphasize user-requested features, which gave the platform a greater lead over its competitors.

Early versions of Quickbooks, specifically the 1992 launch, were thought to have poor security standards. While they have worked on their security since then, these recent reports suggest there are still some less-than-secure practices still in place.

This is apparent in the success of using an Invoke-WebRequest on Quickbooks file servers.

When Quickbooks is on a file server, the user is required to use Quickbooks Database Server Manager. If a repair is carried out, all file permissions are hard-rest, and the ‘Everyone’ group is added to permissions. This is frankly disastrous, as the database is left wide-open, and anybody can access it.

This approach requires little technical insight from the hacker; Invoke-WebRequest is one of the basic PowerShell commands.

In their report, ThreatLocker recommends that you routinely check your file permissions, ensuring it is not set to ‘Everyone.’ This is particularly important after carrying out any repairs. Permissions should be set to a single user if possible within the organizations’ structure.


Phishing Attacks on SMBs


The recent attacks on Quickbooks and the vulnerabilities within its design is just another addition to the long list of cybersecurity threats SMBs are facing today.

Email risk is without a doubt the biggest concern when tightening security within an SMB. These concerns have always been present but heightened sharply with the COVID-19 Pandemic. The pandemic restructured the classic office layout as employees began working from home.

This led to an increased dependence on email for communication and using other cloud platforms to work, some of which was rushed in development to be available for companies during this time; this, in turn, leads to security vulnerabilities within.

The Pandemic became open-season for cybercriminals, who have found new and better ways to exploit the chain of communication put in place to ensure employees can work as normal.

Smaller businesses, in particular, are at risk, as they lack the resources to keep up with emerging threats.

Last year, 91% of all successful cyberattacks against SMBs began with a phishing email, while 55% of SMBs said they had been victim to a phishing attack.

According to the National Small Business Association, small businesses annually absorb over $20K in costs per attack, with SMBs spending nearly $900K to clean-up after an actual data breach.


Protection Against Phishing And Other Attacks


If one thing is clear, its that Small Businesses are Big Targets.

Phishing as an attack threat is ultimately one that can be greatly lessened by education. Making employees aware of email threats, and how to spot them, can go a very long way in protecting a business no matter its size.

Few people can spot every fraudulent email, though, and it’s wise to have the necessary tools to back up employee security where intuition falls short.

One of these tools is SaferNet, which was designed with SMBs in-mind.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.



Leave a Reply

Your email address will not be published. Required fields are marked *