'BEC 3.0' Is Here With Tax-Season QuickBooks Cyberattacks
In next-gen, credential-harvesting attacks, phishing emails use cloud services and are free from the typical bad grammar or typos they've traditionally used (and which users have learned to spot).
April 6, 2023
Cybercriminals continue to target victims with cleverly crafted phishing attacks, this time from QuickBooks online accounts, aimed at harvesting credentials. The gambits use a level of legitimacy and social engineering indicative of a new wave in business email compromise (BEC) efforts, researchers said.
The attacks show how cybercriminals are continuing to evolve phishing tactics as security and detection for these types of offensives improves, switching to maneuvers that are even more evasive. That's according to researchers from Avanan, a Check Point company, who said in a blog post on April 6 that this evolution of attacks can be considered "BEC 3.0."
Threat actors are now signing up for free accounts for legitimate services and then targeting victims from within those services, using email addresses from domains that won't be flagged by typical scanning tools, the researchers said.
"The most unique [aspect of the attack] is the evolution from hackers here," Jeremy Fuchs, Avanan cybersecurity researcher/analyst and author of the blog post, tells Dark Reading. "Hackers are incredibly adept at adjusting. So much money and technology has been thrown at [what] we consider BEC 2.0, and many solutions have gotten really good at stopping it. So, hackers have to adjust — and they have here."
Avanan already has found evidence of similar attacks coming from within PayPal and Google, as well as previous attacks that already came from legitimate QuickBooks accounts. Worsening matters is the fact that attackers couple this tactic with carefully written and socially engineered emails that are free from the typical bad grammar or typos that phishing emails traditionally have used and which users have learned to spot, Fuchs said.
"All the typical phishing hygiene tricks are thrown out the window," he wrote in the post. "You can't see a discrepancy in the sender's address. The links are legitimate. The spelling and grammar are on point."
Common Lure Without the Typos
One reason why phishing remains one of the primary initial access vectors: the growing use by attackers of legitimate software-as-a-service (SaaS) and cloud offerings such as LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it.
In the case of the latest QuickBooks attack, the messages inform victims that their subscriptions for a Norton antivirus product — Norton LifeLock — are about to be renewed and request action from the victim to call a phone number to verify or cancel an automatic renewal payment.
This latter detail may be the only thing that appears questionable to even the savviest of email user, however, as Fuchs says, "plenty of people use Norton LifeLock — and that goes for both consumers and businesses."
If a victim falls for the bait, the campaign packs a one-two punch, as attackers can harvest not only potential payment credentials, but also a victim's phone number for future attacks from chat apps like WhatsApp, he wrote in the post.
Overall, the attack demonstrates that hackers are adjusting tactics by creating messages that appear not only convincing to end users but are also difficult for security protections to pick up because they come from legitimate sources, Fuchs says. QuickBooks, for example, is a perfectly safe website, and, as it's income-tax season in the US and other countries, an email from the service likely won't surprise users, Fuchs says.
"What hackers have done is taken that safety and used it to their advantage," he says. "By placing unsafe links or messages inside a safe receptacle, it can easily evade detection, because the security service is seeing that the receptacle is safe and passing it forward."
Indeed, all the standard checks — domain, SPF, DMARC, etc. — would allow this type of email to pass, and many security services will see the Intuit domain and just send it through without further checks, according to Fuchs.
"There isn't a newly created domain to look at," Fuchs wrote in the post. "Natural language processing won't do much good. This is what makes these attacks so incredibly tricky to top."
Mitigation Tactics
With attackers stepping up their phishing game in novel ways, enterprises and other organizations also have to keep pace in terms of security protection and arming employees with tools to identify BEC 3.0 messages, the researchers said.
Advanced employee education about the new types of phishing attacks can go a long way to mitigating them, according to Fuchs.
"This requires a new wave of education for users," he wrote in the post. "Hovering over links isn't as helpful — now users have to be wary of all links. This requires a whole new approach."
One key thing that organizations can ask employees to do is to Google phone numbers included in suspicious messages that require them to make a phone call to take action, he says. In the case of the attack investigated by Avanan, a Google search of the phone number included in the message flagged it as being used in scams, the researchers found.
Organizations can also implement policies for the type of actions that BEC emails request that require independent verification from a second employee and can help to decrease the probability of a successful attack, Fuchs says.
Other steps enterprises can take to avoid compromise by advanced phishing attacks include implementing data-protection policies that can highlight when a credit card or other payment method is used, alerting security teams and finance teams that something is amiss, he says.
Fuchs adds: "Utilizing browser security that follows a link through all its intended actions is helpful too."
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024