Cybercriminals Target QuickBooks Databases

Cybercriminals Target QuickBooks Databases
Stolen financial files then get sold on the Dark Web, researchers say.

Cybercriminals increasingly have targeted QuickBooks file data at small and midsize businesses (SMBs) over the past few months, according to new research.


The breaches start with two types of phishing attacks to gain access to QuickBooks databases, according to findings by ThreatLocker. In the first, the attackers send a PowerShell command that runs inside the malicious email. In the second, the attackers send a Word document via email; if the recipient opens the attached document, a macro or link within that document downloads a file onto their machine. Once the executable or PowerShell command runs, it retrieves the victim's most recently saved QuickBooks file location, points to the file share or local file, and grabs that file.


Danny Jenkins, co-founder and CEO of ThreatLocker, says the attackers usually upload the stolen files to either Google Cloud or Amazon Web Services as a temporary transfer point. From there, they sell the data on the Dark Web, where other cybercriminals buy the data to launch more targeted attacks on other QuickBooks databases or on the customers and suppliers of the victim organizations.


"They will attack every angle possible," Jenkins adds. "Cybercriminals can easily buy these QuickBook databases on the Dark Web and launch attacks."


Meantime, some 43% of organizations of all sizes say they've been victims of a spear-phishing attack in the past 12 months, according to data from Barracuda Networks, and only 23% say they have dedicated spear-phishing protection in place.


"Most of the emails are invoices and resumes," ThreatLocker's Jenkins explains of the lures. "We don't have exact numbers, but we do know that ..