Intuit Alerts QuickBooks Customers of Current Phishing Attacks

Intuit has alerted QuickBooks users that they are targeted by an ongoing phishing operation of imitating the organization and trying to allure the probable victims with fabricates renewal charges.

The organization said it get reports from the users that they were emailed and told that their QuickBook plans had expired. “This email did not come from Intuit. The sender is not associated agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit,” Intuit explained.

The financial software firm advises all the customers who get one of these phishing messages not to click any links embedded in the emails or open attachments.


The suggested way to deal with them is to delete them to bypass being affected by the Trojan or redirected to a phishing landing page created to harvest credentials.

Customers who have already launched attachments or clicked links in the phishing emails should:

  • Delete any downloaded files immediately.
  • Scan their systems using an up-to-date anti-malware solution.
  • Change their passwords.

Intuit also facilitates the information on how the customers can protect themselves from phishing attempts on its support website.

QuickBooks Customer also addressed by the Scammers

In July, Intuit also warned its customers of phishing emails, asking them to call a phone number to upgrade to QuickBooks 2021 until the end of the month to avoid having their database corrupted or company backup files removed automatically.

Our expert has discovered similar emails sent to Intuit users this month, using the very same templates with the upgrade deadline upgraded to the end of October. While Intuit did not explain how the upgrade scheme worked, from our experts’ previous encounter with similar scam trials, the scammers will try to take over the callers’ QuickBooks accounts.

To do that, they ask the victims to install remote access software like AnyDesk or TeamViewer while arranging as QuickBooks support staff. Next, they connect and ask the victims to facilitate the information required to reset their QuickBooks credentials and take over their accounts to siphon their money by making the payments in their names.

If the victims also have two-factor authentication enabled, then the scammers will ask for the one-time authorization code they required to go ahead with the upgrade.


Copyright Scams and Accounts Takeover Attacks

Besides these two existing campaigns, Intuit is also being represented by other threat actors in a fake copyright phishing scam, as SlickRockWeb CEO Eric Ellason said today.

Recipients targeted by these emails risk infecting themselves with the Hancitor (aka Chanitor) malware downloader or have Cobalt Strike beacons deployed on their systems.

The embedded links send the potential victims through advanced redirection chains using various security evasion tactics and victim fingerprinting malspam.

In June, Intuit also reported to TurboTax consumers that some of their particular and commercial info was accessed by attackers following a set of account takeover attacks. The company also said that that was not a “systemic data breach of Intuit.”

The company’s research exposed that the attackers used credentials gathered from “a non-Intuit source” to access the customers’ accounts and their name, Social Security number, addresses, date of birth, driver’s license number, financial information, and more.        

Leave a Reply