Scammers Target QuickBooks Users Through Fraudulent Websites and Ads
/ 3 min read
Quick take - QuickBooks, developed by Intuit, is facing a rise in scams primarily orchestrated through Google ads, involving fraudulent websites and malicious software that mislead users into seeking help from scammers instead of legitimate support.
Fast Facts
- QuickBooks, developed by Intuit, is increasingly targeted by scammers, particularly from India, using Google ads to promote fraudulent schemes.
- Scammers create fake QuickBooks support websites and popups that mislead users into seeking help from them instead of legitimate sources.
- A specific scam involves a malicious program that generates false error messages, exploiting users’ fears about data corruption to prompt them to contact scammers.
- Some fraudulent sites appear legitimate, featuring the QuickBooks logo and offering downloads that also install backdoor programs like “zeform.exe.”
- Experts emphasize the importance of cybersecurity measures, recommending tools like Malwarebytes to protect against these scams and unauthorized remote access.
QuickBooks Scams Targeting Users
QuickBooks, a financial software developed by Intuit, has become a frequent target for scammers, particularly those based in India. Recent investigations have identified two primary methods through which these scams operate, both heavily reliant on Google ads.
Fraudulent Websites and Malicious Programs
The first method involves the creation of fraudulent websites that pose as official QuickBooks support portals. These sites often display a fake support phone number, misleading users into seeking help from scammers instead of legitimate sources.
The second method is more invasive, requiring victims to download and install a malicious program that triggers popups displaying a fraudulent phone number. Notably, eSentire has reported on a specific fake QuickBooks popup designed to manipulate software functionality, generating false alert messages to alarm users. This ongoing malvertising campaign indicates a troubling trend in which users, upon downloading the malicious software, may encounter popups suggesting that their data is corrupt. This tactic exploits users’ fears, prompting them to seek assistance from the scammers.
Deceptive Google Ads
In a concerning twist, a sponsored advertisement appears at the top of Google search results for “QuickBooks download,” leading to a website that claims to offer the latest version of QuickBooks. This site features the official QuickBooks logo and a “Solution Provider” seal of approval, which adds an air of legitimacy. However, the download is hosted on Dropbox, a detail that might raise suspicions among savvy users.
The installer provided by this site serves a dual purpose: it downloads the legitimate QuickBooks program while simultaneously installing a backdoor program known as “zeform.exe.” This malicious program integrates with QuickBooks and is designed to generate fake error messages that can alarm unsuspecting users. The application responsible for the popups is written in Microsoft .NET and utilizes methods to control the timing and frequency of these popups, making the scam more effective. Furthermore, the text content of the fake instructions is encoded in Base64, a technique intended to evade detection by antivirus software.
Security Risks and Recommendations
Reports of these scams have proliferated online, with many users linking their experiences to Google ads. Scammers often request that victims download a program granting remote access to their computers, under the pretense of fixing non-existent issues. This poses significant security risks, as granting remote access can lead to unauthorized control over the victim’s computer. Scammers may also demand payment for services to resolve these fictitious problems and could install additional malware to maintain access or steal sensitive information, such as passwords.
Acknowledgments have been made to Joe Desimone from Elastic Security for his analysis of the malicious executable and to Squiblydoo for their investigation into the Microsoft certificate used for the fraudulent popup executable. This situation underscores the critical importance of cybersecurity, with experts recommending the use of software like Malwarebytes to protect devices from such threats.
Original Source: Read the Full Article Here
