Fake Billing Scam Poses as a Receipt for a Quickbooks License Upgrade

In this attack, the email posed as a billing notification for the purchase of an upgraded Quickbooks license. The message indicated that an automatic payment of $1,277 would be debited from the recipient’s account within 48 hours; however, if they believed the charge was a mistake, they could call a “helpline” to cancel the purchase. The email was sent from a freely-available Gmail account.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

To detect this attack, an understanding of new threats is required alongside content analysis to detect the tone of the email and the included phone number. Lookalike content is also helpful to understanding how this attack relates to other phone-based text attacks, which have seen increased popularity in recent months due to their ability to bypass email gateways.

If the recipient ends up calling the number provided, they would likely be instructed to download malicious software onto their computer. Once the malware is installed, attackers would be able to perform a variety of nefarious actions, including escalating it into a ransomware attack.