Users are prompted to click the link provided to fix a payment record discrepancy. The threat actors use a URL shortener provided by X (t.co) to obfuscate the link’s destination. If clicked, users are redirected to a phishing page designed to appear as the Intuit login page. If credentials are entered, the information is forwarded to threat actors. This campaign may also collect short message service (SMS) multi-factor authentication (MFA) codes.
Recommendations
- Confirm requests from senders via contact information obtained from verified and official sources.
- Type official website URLs into browsers manually.
- Only submit account credentials on official websites.
- Refrain from clicking links delivered in unverified emails.
- Ensure MFA is enabled for all online accounts.
- Immediately change passwords if entered into malicious websites.
