Cyberattackers Abuse QuickBooks Cloud Service in Double-Spear Campaign

Malicious invoices coming from the accounting softwares legitimate domain are used to harvest phone numbers and carry out fraudulent credit-card transactions.

Cyberattackers are hiding behind the QuickBooks brand to disguise their malicious activity, researchers are warning. The effort is a double-spear approach that packs a one-two punch: Stealing phone numbers and making off with cash via bogus credit-card payments.
The popular accounting software allows customers to sign up for cloud accounts, from which they can send out requests for payment, invoices, and statements, all coming from the quickbooks.intuit.com domain. According to an analysis from Avanan, cybercrooks are taking advantage of this to send out malicious versions of QuickBooks documents — and email security filters, having determined that the address isnt spooked and comes from an allowed domain, pass the messages right on to inboxes.
The campaign started in May, researchers noted in a blog post on Thursday. The email body spoofs brands like Norton or Microsoft 365 (formerly Office 365) and often claim that the targets owe monetary damages. The offensive casts a wide net, targeting companies across all industry segments, according to the firm.
It presents an invoice and encourages you to call if you think there are any questions, Avanan researchers
noted in their analysis
. When calling the number provided, they will ask for credit-card details to cancel the transaction. Note that the number is one associated with such scams, and the address doesnt correlate with a real one.
Once the end user calls to see what’s going on, the hackers then harvest the phone number, allowing them to use it for follow-on attacks via text message or WhatsApp. They also receive the credit-card payment, so the campaign is two-pronged in terms of victim pain.
On this one, were dealing with a fairly sophisticated level as hackers have found a way to know that this attack will work and to do a double spear, gaining money and credentials, Jeremy Fuchs, cybersecurity research analyst at Avanan, tells Dark Reading.
He adds, Like any social-engineering scam, the likeliness of someone falling for this depends on the user. Given that the email comes from a legitimate QuickBooks domain and its an invoice for what looks like a legitimate company, it might catch some users off-guard.
Using the legitimacy of cloud domains to reach the inbox is
not a new approach,
of course. But particularly as many businesses continue to support remote workers with cloud services and software-as-a-service apps, the approach has been cresting as these channels are less protected than traditional email gambits.
With regards to broader trends that this falls into, weve seen hackers utilize legitimate sites for illegitimate purposes, Fuchs says. Leveraging the reputation of a legitimate business is a great way to get into the inbox. Additionally, weve seen an uptick in hackers grabbing money and harvesting phone numbers for future attacks.
While other cloud services like Evernote, Dropbox, Microsoft, DHL, and many more have been abused in this fashion by phishers, nefarious types have leveraged Google in particular over the past few months.
For instance, in January, a threat actor
used the comments function in Google Docs
to dupe targets into clicking malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using @. This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.
Organizations cant block Google, so Google-related domains are allowed to come into the inbox, according to Avanan. These static lists are continually pilfered by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote.
To guard against attacks like these, Avanan recommends the following:
Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges.
Implement advanced security that looks at more than one indicator to determine in an email is clean or not.
Encourage users to ask IT if they are unsure about the legitimacy of an email.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cyberattackers Abuse QuickBooks Cloud Service in Double-Spear Campaign