Attackers Use QuickBooks to Launch ‘BEC 3.0’ Campaign

QuickBooks is in the crosshairs of bad actors. Attackers are creating free accounts in QuickBooks, which they then use to pilfer money and data from users in what are being called business email compromise (BEC) 3.0 campaigns.

The miscreants send invoices from legitimate accounts, according to researchers at Avanan, then rake up cash and credentials when users respond.

“This email comes directly from QuickBooks. It has a QuickBooks email address, meaning it will pass all SPF checks, domain checks and more,” they wrote in a blog post. “There’s nothing inherently wrong with the text, no malicious links. One thing that is off, however, is the phone number.”

In fact, the number is the “only piece of information that might alert an eagle-eyed user that something is off,” they said. That’s why the researchers “always recommend” that users do a Google search of a phone number, “even if the number is legitimate.”

Noting that in these so-called BEC 3.0 attacks, “all the typical phishing hygiene tricks are thrown out the window,” the researchers said, “You can’t see a discrepancy in the sender’s address. The links are legitimate. The spelling and grammar are on point.”

While targets “may question why they’re asking for a Norton LifeLock payment,” Avanan said, “plenty of people use Norton LifeLock. And that goes for both consumers and businesses.”

Users have little reason to doubt the veracity of the emails. “Hackers use SharePoint, OneDrive, AWS, Hubspot, QuickBooks, PayPal to deliver attacks because they are coming from trusted domains and this increases the likelihood they will bypass traditional email technology that relies on blocklist and domain reputation, plus it will look legitimate to employees with security training,” said Patrick Harr, CEO at SlashNext.

“A key element of a successful phish is the fear and urgency they inspire in the victim. The sticker shock of the invoice is what the attacker is counting on to get you to click that link or make the phone call to contest the amount, at which point they start the process of attempting to snare the victim’s credentials,” said Jim Kelly, RVP, endpoint security at Tanium. “The goal is to get you to ‘call before you think,’ which allows them to prey upon your fear. Once you’re on the phone with them, they have an arsenal of psychological strategies to convince you of their legitimacy and be successful in extorting credentials, money, or both from you.”

Users, Avanan said, must “scrutinize this email incredibly carefully,” but pointed out that users might not be inclined to be so vigilant. “This requires a new wave of education for users,” the researchers wrote. “Hovering over links isn’t as helpful–now users have to be wary of all links. This requires a whole new approach.”

Users could be hesitant to share a troubling email. “No matter how scary an e-mail may seem, it is always worth getting a second opinion, and if there’s any doubt or any indicator that this is a shock-based tactic, you should immediately engage your organization’s security team for additional review before calling,” said Kelly.

Security pros have an equally tough time. “All the standard checks–domain, SPF, DMARC, etc.–will pass. Many security services will see the Intuit domain and just send it through, no other checks done,” the researchers noted. “There isn’t a newly created domain to look at. Natural language processing won’t do much good. This is what makes these attacks so incredibly tricky to stop.”

Since the scam has users calling to verify “what’s going on,” the hackers can “then harvest the phone number, allowing them to use it for future attacks,” with future ominous implications.

In “a one-two punch, the hackers receive money and have a phone number for future attacks, whether via text message or WhatsApp,” the researchers said.

“This attack works because of what hackers on the dark web call a double spear—make the user call the listed telephone number [and] make the user pay the invoice,” the researchers noted.

Security services will learn to adapt to BEC 3.0, just like they’ve done a good job adapting to BEC 2.0. But hackers always try to stay one step ahead. “This is the next wave,” they wrote, adding that for both security services and users alike, “this represents a major challenge.”

While “this ‘BEC 3.0’ attack is particularly sophisticated … it is still basically just a page from the business email compromise playbook, and provides us another example of a preventable breach,” said Mika Aalto, co-founder and CEO at Hoxhunt. “I say ‘preventable’ because any person who, if compromised, can cause outsized damage should also receive specialized training to defend against such attacks.”

Aalto said, “There’s clearly a behavior element involved that can be addressed with even more sophisticated training to encourage attacked people to further identify illegitimate requests.”

Kelly agrees that “technological solutions are only one layer of security defense.” Noting that “as attackers gain access to either free services or fully compromised accounts from legitimate domains, it is becoming harder to spot the markers that something is amiss with the communication,” he said. “The fact remains that in the face of some threats, technology is insufficient, and you need human intelligence, awareness and education coupled with a little common sense.”

Training around BEC tactics, he said, “should be given alongside the same education and awareness of things like tailgating (where someone physically follows an authorized employee into a secured area), vishing or other human-centric social engineering techniques.”

But that’s not a straightforward road. “The challenge is that this is going to be more impactful to small businesses who might not cross-check purchase orders against an invoice before paying it,” said Andrew Barratt, vice president at Coalfire. “It does require an attacker to try invoicing for a mass market service, so I’d expect to see these going out posing as Office 365 subscription payments or something else that there is a high probability of being a service consumed by a business.”

Part of the defense, he said, is, in some cases, just good accounts payable hygiene. “Make sure the invoice has the correct purchase order [number], that the renewal dates are known and that the request for payment matches the expected time frame for an invoice.”

AI can help to spurn and mitigate these attacks. “Today’s AI technology allows us to automatically develop and deliver very sophisticated, individual training experiences at scale, driving behavior change rather than raising awareness,” she said. “Human risk is an organizational problem. Automation, adaptive learning and artificial intelligence/machine learning can help deliver personalized training at scale. Why is that important? Because people need to participate frequently with relevant training that expands their skill level in order to improve and stay engaged.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson