I. Targeted Entities

  • Intuit users

II. Introduction

A phishing campaign is underway with cybercriminals impersonating the popular Intuit software during the tax season.

III. Background Information

Intuit is warning customers of a phishing campaign that threatens to restrict users from accessing their accounts unless they click on a malicious link. These attacks are quickly escalating, and attackers are employing stealthier methods in hopes of tricking users into installing malware or giving up personal data.

Intuit has posted a screenshot of a suspicious email that customers have reported receiving, which the company says, “did not come from Intuit”.[1]

The fake email, which appears to be sent from the Intuit Maintenance Team, informs recipients that their account has been “temporarily disabled due to inactivity” and that it is “compulsory” to restore access to the account within 24 hours.[2] The email claims to warn users of a “recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season.” The email directs users to a link (https://proconnect[dot]intuit.com/Pro/Update) and claims that clicking on the link will allow users to immediately regain access to their accounts.[2]

Erich Kron, security professional and awareness advocate at KnowBe4, says that he was not surprised to learn of such an engineered attack on Intuit and expects that more of these attacks will come as we progress through tax season.[2]

Phishers have been vigorously escalating attacks, using more creative ways to trick users into taking the bait and hide their malicious activity. Researchers have reported a flurry of phishing attacks using new tricks and tactics since the end of last year. In just the last week, security researchers have found two novel ways that phishers are targeting victims. In one, Proofpoint researchers saw adversaries using phishing kits that were focused on bypassing multi-factor authentication methods by stealing authentication tokens via man-in-the-middle attacks. The other phishing campaign saw attackers using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings, with the end goal of taking over an end user’s computer. There have also been phishing attacks aimed at stealing credentials using a legitimate Google Drive collaboration feature as well as the “Comments” feature of a Google Doc to trick users into clicking malicious links.[1]

Phishing has been around a long time, and it is a threat vector that will never get old. Only one click is necessary to make a phishing campaign effective for the threat actor. It also remains dangerous because credential stealing from victims is often a gateway attack that provides criminals a way to further engage victims with more attacks, like defrauding people of money or ransomware attacks on corporate networks. It is also difficult for an organization to stop phishing attacks because they rely on human error rather than a compromise of an infrastructure that the organization controls.[1]

Intuit is not providing information about what happens if a user clicks on the link, but the company is warning customers that the link is likely malicious and to refrain from clicking on the link or any attachment sent with the email. If a customer has already clicked on the link, Intuit recommends they delete any resulting downloads immediately, scan their system with an updated antivirus program, and change their passwords.[1]

IV. MITRE ATT&CK

  • T1589 – Gather Victim Identity Information
    Attackers have developed a phishing method where users can be trapped by clicking website links. From those links, users’ private information can be collected
  • T1598 – Phishing for Information
    Users can be trapped into phishing by attackers who use special kits to gather information
  • T1014 – Rootkit
    Attackers have developed multiple kits for phishing purposes. These kits might gain access in user or kernel levels in operating systems, which can give the control of the levels to attackers.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/1ep8nc69qn02neaurnll3vd2e2xr5ip1

VII. References

(1) Intuit, ed. “Security Notices.” Intuit Security Center, February 2, 2022. https://security.intuit.com/security-notices.

(2) Montalbano, Elizabeth. “Attackers Target Intuit Users by Threatening to Cancel Tax Accounts.” Threatpost English Global, February 4, 2022. https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.