Ahe NJCCIC’s email security solution observed a new phishing campaign targeting Intuit login credentials. In this campaign, threat actors send an email impersonating accounting software Intuit QuickBooks. While the spoofed email address may appear to come from Intuit at first glance, the domain used in this campaign is intuit[.]net, which is not an official Intuit domain.

Users are prompted to click the link provided to fix a payment record discrepancy. The threat actors use a URL shortener provided by X (t.co) to obfuscate the link’s destination. If clicked, users are redirected to a phishing page designed to appear as the Intuit login page. If credentials are entered, the information is forwarded to threat actors. This campaign may also collect short message service (SMS) multi-factor authentication (MFA) codes.

Recommendations

• Confirm requests from senders via contact information obtained from verified and official sources.
• Type official website URLs into browsers manually.
• Only submit account credentials on official websites.
• Refrain from clicking links delivered in unverified emails.
• Ensure MFA is enabled for all online accounts.
• Immediately change passwords if entered into malicious websites.