Threat Actors Using Fake QuickBooks Software to Scam Organizations

The eSentire Threat Response Unit recently discovered a scamming activity conducted via a fake QuickBooks installer. The infection typically starts when a user searches for “QuickBooks download” on Google, and the first search result leads them to a malicious website hosting a fake QuickBooks installer.

Affected users reported being unable to access one of their QuickBooks files and, upon opening the file, received a warning message instructing them to call a phone number that appeared to be from Intuit Technical Support. However, the number was part of a scam. When victims called the number, the malicious actor would offer to sell the service to “repair” the files for $800 to $2,000. The malicious actor claimed to be from “QB Exclusive” and used ZoHo Assist (remote support software) to achieve the remote session on the victim’s machine.

How can you prevent this cyberattack?

• Before downloading QuickBooks, check that the software is coming from a legitimate installer. Legitimate QuickBooks installer certificates are issued to Intuit, Inc.
• Note that the legitimate QuickBooks files are located under C:\Users\Public\Public Documents\Intuit\QuickBooks\ by default. Any files located under a different folder are suspicious.
• If you receive a pop-up, think before taking any action. Always be suspicious of urgent messages or those asking for immediate payment in return for product support.

For more information on this QuickBooks scam, refer to the full eSentire article.