The NJCCIC’s email security solution identified a TOAD attack impersonating Intuit QuickBooks and Stripe by Commerce Sync. The message appears to be created on legitimate Stripe infrastructure to evade detection. It contains a PDF attachment purporting to be a legitimate Intuit QuickBooks invoice for an upcoming subscription renewal. The threat actors use QuickBooks and Stripe branding in the message and PDF attachment. However, upon closer inspection, the message is suspicious because the QuickBooks name has a space in the subject line, sender’s display name, email content, and attachment. The invoice is addressed and billed to a generic “user.” Also, the link to pay the invoice does not navigate to verified Stripe domains and instead displays that the invoice is not found, forcing the target to call actor-controlled phone numbers, such as 888-375-7282, 888-652-2384, 888-514-8354, and others. The message and attachment also prompt the target to email sales with questions or in need of assistance to non-Intuit email addresses with “quicksbook[.]com” and “quick-books[.]com” domains instead of official Intuit domains.
Recommendations
- Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
- Exercise caution with communications from known senders.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Navigate directly to official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages.
- Safeguard your information and accounts, including account credentials and other sensitive information.
- Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- Keep systems up to date and apply patches after appropriate testing.
- Report any suspicious activity, identity theft, or fraud to your financial institution, local police department, the Federal Trade Commission (FTC), or the credit reporting bureaus.
- Report phishing emails and other malicious cyber activity to the FBI's IC3 and the NJCCIC.
