Summary:
The article discusses a prevalent scam targeting QuickBooks users, primarily through fraudulent Google ads that lead to malicious downloads. Scammers utilize fake popups to instill fear in users, prompting them to seek assistance through fraudulent channels. The article highlights the methods used by these scammers and warns users about the dangers of remote access to their computers.
Keypoints:
QuickBooks is a popular target for scammers, particularly in India.
Scammers use Google ads to promote fake QuickBooks support websites.
Victims are tricked into downloading a program that generates fake error messages.
The fake QuickBooks popup is designed to alarm users into calling fraudulent support numbers.
The malicious installer downloads the real QuickBooks program while also installing a backdoor program called zeform.exe.
zeform.exe generates fake error messages to mislead users.
Scammers may ask for remote access to victims’ computers, posing significant risks.
Indicators of compromise (IoCs) include a malicious domain and file hashes.
MITRE Techniques
Malware (T1203): Utilizes malicious software to compromise user systems and generate fake alerts.
Phishing (T1566): Employs deceptive ads to lure victims into downloading malicious software.
Remote Access Tools (T1219): Scammers use remote access to control victims’ computers after gaining their trust.
IoC:
[domain] bizzgrowthinc[.]com
[file name] QuickBooks_Installer.msi
[file hash] 9e0b46194dc1c034422700b02c6aca01290d144735e48c4a83eea34773be5f52
[file name] zeform.exe
[file hash] 0c3f5f7bed8efbb6b1de3e804d22397a8bdf442b83962444970855fc9606c9f5
Full Research: https://www.malwarebytes.com/blog/scams/2024/11/quickbooks-popup-scam-still-being-delivered-via-google-ads