QuickBooks Impersonator Uses Look-Alike Domain in Cleverly Designed Credential Vishing Attempt
In this vishing attack, the threat actor incorporates impersonated QuickBooks branding into every element of the email. The sender email is hosted on the look-alike domain “quickbooks-app[.]com”, the sender display name is “QuickBooks,” and the subject line is “Error Notification: QuickBooks Update Failure.” The email content is also designed to mimic legitimate communications from QuickBooks and includes the brand’s colors, logo, and the logos of its partner products. To create a sense of urgency, the message claims that the target has failed to update their QuickBooks account and, as a result, their subscription will be canceled in two days. The email includes a contact number, purportedly for QuickBooks customer service, that the attacker invites the recipient to call for more information. However, if the target calls, they will likely have sensitive information like login credentials or payment information stolen.
Older, legacy email security tools struggle to accurately flag this email as an attack because it uses a look-alike domain, lacks attachments, and comes from an unknown sender. Modern, AI-powered email security solutions analyze the content, domain, and unknown sender status to mark this email correctly as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Look-alike Domain: The attacker uses the "quickbooks-app[.]com" domain, which resembles the legitimate QuickBooks domain. This can easily bypass legacy security tools that only check for exact domain matches.
- Lack of Attachments: Legacy security tools often rely on scanning attachments for known malware signatures. This email contains no attachments, allowing it to bypass such checks.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Content Analysis: Abnormal analyzes the language used in the email and identifies signs of a phishing attempt, including the threat of account termination and the request to call a number for more information.
- Domain Analysis: Abnormal recognizes that the "quickbooks-app[.]com" domain is not the legitimate QuickBooks domain despite its close resemblance.
- Unknown Sender Analysis: Abnormal analyzes the sender's behavior, such as the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.