Accounting software QuickBooks, by Intuit, is a popular target for India-based scammers, only rivaled for top spot by the classic Microsoft tech support scams.
We’ve seen two main lures, both via Google ads: the first one is simply a website promoting online support for QuickBooks and shows a phone number, while the latter requires victims to download and install a program that will generate a popup, also showing a phone number. In both instances, that number is fraudulent.
The fake QuickBooks popup was previously described in detail by eSentire and reveals how scammers are able to hijack the software functionality by generating bogus alert messages.
We ran into an active malvertising campaign recently, indicating that this scheme is still very much alive and well. In this blog post, we review how QuickBooks users that downloaded the program from a malicious ad will be plagued with a popup generated at certain intervals, instilling fear that their data may be corrupt so that they call for assistance.
Fake QuickBooks download
When searching for ‘quickbooks download‘ on Google, we see a sponsored result appear at the top. This ad promotes a website where users can supposedly download the latest version of QuickBooks.
Here is the website, showing the official logo and even a “Solution Provider” seal of approval:
One thing that may alert users is that the download is hosted on Dropbox:
https://www.dropbox.com/scl/fi/ybket868cp7nx5dhj11cu/QuickBooks_Installer.msi?rlkey=gp1t0siqr2j089vhgysn4nm33&st=4ajnlxze&dl=1
The form (zeform)
This installer serves two purposes: one is to download the real QuickBooks program from Intuit’s website, and the other is to surreptitiously install a sort of backdoor “zeform.exe“. This simple binary was designed to integrate with QuickBooks in such a way that it can generate a fake error message, as seen below:
This type of error may be alarming to people who have spent hours loading data into QuickBooks and aren’t aware that this popup, although appearing to come from QuickBooks itself, is in fact totally made up.
The application that creates it is a program written in Microsoft .NET, which contains two important methods that control when and how the popup appears:
- MonitorAndShowForm(), which calls CalculateNextDisplayDate and is incremented on week days
- CheckTimeWindow() to make sure it is a weekday and within a certain time window
The text content (fake instructions) can also be seen here, encoded in Base64 presumably to avoid detection from antivirus software:
Conclusion
This clever scheme has been going for some time now and every now and again we see some people reporting it online, seemingly always via Google ads.
Scammers will usually ask their victims to download a program to remotely access their computer so that they can take a look at the issue and fix it. This is always dangerous and you should be extremely cautious if you’ve already let someone access your computer.
In addition to demanding to be paid to fix inexistent problems, scammers may also put malware that will give them continued access or even the ability to steal users’ passwords.
Acknowledgments
We would like to thank Joe Desimone from Elastic Security for taking a look at the malicious executable and Squiblydoo for checking on the Microsoft certificate used to sign the fraudulent popup executable.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Indicators of Compromise
bizzgrowthinc[.]com
QuickBooks_Installer.msi
9e0b46194dc1c034422700b02c6aca01290d144735e48c4a83eea34773be5f52
zeform.exe
0c3f5f7bed8efbb6b1de3e804d22397a8bdf442b83962444970855fc9606c9f5