QuickBooks, developed and marketed by Intuit, is an accounting software geared mainly toward small and medium-sized businesses (SMBs). These SMBs use the software to accept business payments, manage and pay bills, payroll functions, and other functions related to finance and accounting.
With about 75% market share and approximately 29 million users, QuickBooks has a high adoption rate among SMBs and is a clear leader among other niche business and financial management solutions.
A PRIME TARGET FOR CYBER CRIMINALS
According to new research, cybercriminals have increasingly been targeting SMB’s QuickBooks application data files over the last few months. Findings by Threat Locker reveal that attackers are leveraging two forms of phishing attacks to gain access and exploit the accounting software. The first method involves the attackers sending a malicious email that contains a PowerShell command. For the second method, the cyber criminals attach a document to an email, masquerading it as a legitimate document such as an invoice. If the email recipient opens the attachment, a macro (auto executed series of instructions) or a link embedded within the document downloads an executable file onto the recipient’s computer from the internet. Once the PowerShell command or the executable runs, it immediately retrieves the most recently saved QuickBooks file location and points this location to the file share and uploads the file to the internet. Most of the time, the attacks involve signed malware, therefore, making them more stealth and harder to detect using threat detection software.
A DESIGN FLAW PRESENTS A LOOPHOLE
Security is often an afterthought in the design of Accounting programs and Quickbooks is no exception as attackers are gaining access by exploiting a fundamental design flaw. Danny Jenkins, co-founder and CEO of Threat Locker noted that when a system administrator runs a repair command on the QuickBooks database, usually after a system crash, file share permissions are also reset to default making the database accessible to everyone on the company network. This means hackers can access sensitive databases if they get into the system after a fresh repair.
THE NEXT PHASE OF ATTACK
Once the stolen file is uploaded to the internet, these hackers commoditize it by selling it on the dark web, Threat Locker noted. These data are then used by other hackers to launch more targeted attacks on clients and business partners of compromised SMBs. A recent attack observed by a cybersecurity firm, Darktrace, involved the hackers compromising the email address of a company’s accountant to send a phishing email to the CEO. The email included a voicemail as a way to persuade the CEO to enter confidential details such as login credentials on a phony webpage. “The fact that these attacks specifically targeted the CEO and only individuals who had access to the company’s research and intellectual property shows that this was a well-planned and meticulously executed attack,” Darktrace said in its report.
REMEDIATION PLAN AND APPROACH
SMBs need to realize they are not too small to catch the attention of lurking cyber criminals. In fact, they can be the key to hackers working their way up to accessing larger corporates who could either be customers or partners of these SMBs. Small businesses therefore need to take careful considerations to set up a fit-for-purpose security architecture that has the right policies and tools in place to ward off threats from cybercriminals.