Attackers Target Intuit Users by Threatening to Cancel Tax Accounts

The usual tax-season barrage of cybercriminal activity is already underway with a phishing campaign impersonating the popular accounting and tax-filing software.

Just in time for tax season, Intuit is warning customers of a phishing campaign that threatens to close user accounts if they don’t click on a malicious link.

The attacks on the accounting-software specialist that many people use for filing U.S. income tax forms comes as phishers overall are ramping up more creative and stealthy ways to trick users into installing malware or giving up personal data.

Intuit posted a screenshot from a suspicious email customers reported receiving, which the company insists “did not come from Intuit,” according to a media statement posted Thursday.

Infosec Insiders Newsletter
“The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit,” according to the statement.

The faux email, purporting to come from the Intuit Maintenance Team, informs the recipient that his or her account has been “temporarily disabled” “due to inactivity” and that it’s “compulsory” to restore access to the account within 24 hours.

“This is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season,” according to the email.

The email directs users to a link, https://proconnect[dot]intuit.com/Pro/Update, claiming it will immediately restore access to their accounts.

Intuit: Resist the Bait

Though Intuit does not provide information on what happens if users click on the link, the company is warning customers that it is likely malicious and not to click on it nor on any attachment that is associated with the email.

If a customer already has followed the email’s instructions and clicked on the link, Inuit recommends that users delete any resulting downloads immediately; scan their system using an up-to-date antivirus program; and change their passwords.

One security professional said he was not surprised to learn of such an engineered attack on Intuit and expects that more will come as we get deeper into tax season.

“This is not an unusual way for cybercriminals to use to trick people into logging into their accounts on a fake website, allowing them to steal the user’s credentials,” observed Erich Kron, security awareness advocate at security awareness and training firm KnowBe4. “These kind of attacks are certain to ramp up during tax season, as we are seeing now.”

Phishing Attacks Get Smarter

Indeed, phishers have been escalating attacks with vigor lately, using more creative ways to both trick users into taking the bait as well as to hide their activity. Researchers have reported a flurry of phishing attacks using new tricks and tactics since the end of last year.

Just this week alone, security researchers have discovered two novel ways phishers are targeting victims. In one, Proofpoint researchers observed adversaries procuring and then using phishing kits that are focused on bypassing multi-factor authentication (MFA) methods, by stealing authentication tokens via man-in-the-middle (MiTM) attacks.

The other phishing campaign revealed this week described attackers using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings — with the goal of ultimately taking over an end user’s computer.

Other recent phishing attacks aimed at stealing credentials found scammers using a legitimate Google Drive collaboration feature and leveraging the “Comments” feature of Google Docs, respectively, to trick users into clicking on malicious links.

While phishing has been around almost as long as people have been sending emails, it’s a threat vector that will never get old, noted one security professional.

“Phishing continues to be a popular means of attack because it continues to work,” Tim Erlin, vice president of strategy at cybersecurity firm Tripwire, wrote in an email to Threatpost. “It only takes one user to click in order for the phishing campaign to be effective for the attacker.”

It also remains dangerous because credential-stealing from victims is often a gateway attack that provides cybercriminals a way to engage in further and more disruptive attacks, such as defrauding people of money in financial accounts or ransomware attacks on corporate networks.

Moreover, it remains difficult for an organization to prevent phishing attacks from success because they merely require human error rather than any compromise of infrastructure that the organization controls, Erlin added.

“While we try to address phishing with technological solutions, the problem remains a primarily human one,” he said.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles