The NJCCIC’s email security solution identified multiple phishing and malware campaigns impersonating legitimate businesses related to accounting, tax filing, and payments. Threat actors can sign up for free accounts for legitimate services and target victims from within those services, utilizing email addresses from domains not flagged by typical security tools. In one phishing campaign, threat actors impersonated Intuit QuickBooks, using their branding and the legitimate sender’s domain name. However, the emails are suspicious because they contain phishing links to non-Intuit domain names, unlike official emails that always include links to “intuit.com” addresses. The phishing links prompt a fraudulent Intuit authentication page to harvest user credentials that can be used in account compromises.
Additionally, the NJCCIC received multiple reports of unauthorized users logging into QuickBooks Online accounts using the victim’s compromised account credentials. The unauthorized users updated existing and added new vendor accounts with their own Automated Clearing House (ACH) information. They then made payments to these vendor accounts, with some successfully deducted from the victim organization’s bank account and some failing due to insufficient funds to cover the transactions.
Threat actors targeted accounting firm employees and impersonated UltraTax CS, Thomson Reuters’ professional tax preparation software. The username in the sender’s email address was misspelled as “subcriptions.” Although UltraTax CS is configured to automatically download and install updates by default, the email recommended manually downloading and installing the supposed software patch. If clicked, potential victims were directed to a malicious link in which threat actors weaponized the legitimate ConnectWise ScreenConnect remote access software to connect to computers and send malicious commands remotely.
Recommendations
- Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
- Exercise caution with communications from known senders.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Navigate directly to official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages.
- Safeguard your information and accounts, including account credentials and other sensitive information.
- Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- Restrict access based on assigned user roles to ensure only authorized users can view or modify financial information.
- Keep systems up to date and apply patches after appropriate testing.
- Monitor accounts, set up alerts, review account transactions and activity, and report any suspicious activity, identity theft, or fraud to your financial institution, local police department, the FTC, or the credit reporting bureaus.
- Report phishing emails and other malicious cyber activity to the FBI's IC3 and the NJCCIC.
