BEC 3.0 Is Here With Tax-Season QuickBooks Cyberattacks

In next-gen, credential-harvesting attacks, phishing emails use cloud services and are free from the typical bad grammar or typos theyve traditionally used (and which users have learned to spot).

Cybercriminals continue to target victims with
cleverly crafted phishing attacks
, this time from
QuickBooks online accounts
, aimed at harvesting credentials. The gambits use a level of legitimacy and social engineering indicative of a new wave in business email compromise (BEC) efforts, researchers said.
The attacks show how cybercriminals are continuing to evolve phishing tactics as security and detection for these types of offensives improves, switching to maneuvers that are even more evasive. Thats according to
researchers from Avanan
, a Check Point company, who said in a blog post on April 6 that this evolution of attacks can be considered BEC 3.0.
Threat actors are now signing up for free accounts for legitimate services and then targeting victims from within those services, using email addresses from domains that wont be flagged by typical scanning tools, the researchers said.
The most unique [aspect of the attack] is the evolution from hackers here, Jeremy Fuchs, Avanan cybersecurity researcher/analyst and author of the blog post, tells Dark Reading. Hackers are incredibly adept at adjusting. So much money and technology has been thrown at [what] we consider BEC 2.0, and many solutions have gotten really good at stopping it. So, hackers have to adjust — and they have here.
Avanan already has found evidence of similar attacks coming from within
PayPal
and Google, as well as previous attacks that already came from legitimate
QuickBooks accounts
. Worsening matters is the fact that attackers couple this tactic with carefully written and socially engineered emails that are free from the typical bad grammar or typos that phishing emails traditionally have used and which users have learned to spot, Fuchs said.
All the
typical phishing hygiene tricks
are thrown out the window, he wrote in the post. You cant see a discrepancy in the senders address. The links are legitimate. The spelling and grammar are on point.
One reason why phishing remains one of the primary initial access vectors: the growing use by attackers of legitimate software-as-a-service (SaaS) and cloud offerings such as LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it.
In the case of the latest QuickBooks attack, the messages inform victims that their subscriptions for a Norton antivirus product —
Norton LifeLock
— are about to be renewed and request action from the victim to call a phone number to verify or cancel an automatic renewal payment.
This latter detail may be the only thing that appears questionable to even the savviest of email user, however, as Fuchs says, plenty of people use Norton LifeLock — and that goes for both consumers and businesses.
If a victim falls for the bait, the campaign packs a one-two punch, as attackers can harvest not only potential payment credentials, but also a victims phone number for future attacks from chat apps like WhatsApp, he wrote in the post.
Overall, the attack demonstrates that hackers are adjusting tactics by creating messages that appear not only convincing to end users but are also difficult for security protections to pick up because they come from legitimate sources, Fuchs says. QuickBooks, for example, is a perfectly safe website, and, as its income-tax season in the US and other countries, an email from the service likely wont surprise users, Fuchs says.
What hackers have done is taken that safety and used it to their advantage, he says. By placing unsafe links or messages inside a safe receptacle, it can easily evade detection, because the security service is seeing that the receptacle is safe and passing it forward.
Indeed, all the standard checks — domain, SPF,
DMARC
, etc. — would allow this type of email to pass, and many security services will see the Intuit domain and just send it through without further checks, according to Fuchs.
There isnt a newly created domain to look at, Fuchs wrote in the post. Natural language processing wont do much good. This is what makes these attacks so incredibly tricky to top.
With attackers stepping up their phishing game in novel ways, enterprises and other organizations also have to keep pace in terms of security protection and arming employees with tools to identify BEC 3.0 messages, the researchers said.
Advanced employee education about the new types of phishing attacks can go a long way to mitigating them, according to Fuchs.
This requires a new wave of education for users, he wrote in the post. Hovering over links isnt as helpful — now users have to be wary of all links. This requires a whole new approach.
One key thing that organizations can ask employees to do is to Google phone numbers included in suspicious messages that require them to make a phone call to take action, he says. In the case of the attack investigated by Avanan, a Google search of the phone number included in the message flagged it as being used in scams, the researchers found.
Organizations can also implement policies for the type of actions that
BEC emails
request that require independent verification from a second employee and can help to decrease the probability of a successful attack, Fuchs says.
Other steps enterprises can take to avoid compromise by advanced phishing attacks include implementing data-protection policies that can highlight when a credit card or other payment method is used, alerting security teams and finance teams that something is amiss, he says.
Fuchs adds: Utilizing browser security that follows a link through all its intended actions is helpful too.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BEC 3.0 Is Here With Tax-Season QuickBooks Cyberattacks