QuickBooks and Stripe TOAD Attacks

Threat actors continue to exploit trusted financial software through impersonation, phishing emails, and fraudulent invoices or transactions. They can sign up for free accounts for legitimate software and target potential victims from within those services, utilizing email addresses from domains not flagged by typical security tools. They can also combine voice and email phishing techniques in telephone-oriented attack delivery (TOAD) attacks, relying on their targets to call actor-controlled phone numbers directly. The threat actors impersonate the trusted service and trick the targets into disclosing sensitive information over the phone, such as login credentials or financial information. TOAD attacks can result in credential theft, financial fraud, unauthorized access, malware installation, and ransomware.
The NJCCIC’s email security solution identified a TOAD attack impersonating Intuit QuickBooks and Stripe by Commerce Sync. The message appears to be created on legitimate Stripe infrastructure to evade detection. It contains a PDF attachment purporting to be a legitimate Intuit QuickBooks invoice for an upcoming subscription renewal. The threat actors use QuickBooks and Stripe branding in the message and PDF attachment. However, upon closer inspection, the message is suspicious because the QuickBooks name has a space in the subject line, sender’s display name, email content, and attachment. The invoice is addressed and billed to a generic “user.” Also, the link to pay the invoice does not navigate to verified Stripe domains and instead displays that the invoice is not found, forcing the target to call actor-controlled phone numbers, such as 888-375-7282, 888-652-2384, 888-514-8354, and others. The message and attachment also prompt the target to email sales with questions or in need of assistance to non-Intuit email addresses with “quicksbook[.]com” and “quick-books[.]com” domains instead of official Intuit domains.
Recommendations
Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Navigate directly to official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages. Safeguard your information and accounts, including account credentials and other sensitive information. Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Report any suspicious activity, identity theft, or fraud to your financial institution, local police department, the Federal Trade Commission (FTC), or the credit reporting bureaus. Report phishing emails and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.