QuickBooks Popup Scam Continues to Deploy Backdoors Through Google Ads

• Google advertisements impersonating accounting software QuickBooks are still displayed, tricking users into calling a fake phone number.
• The genuine QuickBooks software comes bundled with a hidden installation of a backdoor program.
• Frequently, the Alphabet Inc.-owned service backs its decisions not to take down fraudulent ads with the idea the scammers’ ads respect the rules.

A persistent threat has again emerged, targeting users of the accounting software QuickBooks through Google Ads, marking a continued campaign by India-based fraudsters. The ads promote fake phone numbers and ultimately install backdoors on user systems, according to the latest Malwarebytes security report.

Two primary methods have been identified, both leveraging Google Ads. The first involves a fraudulent website that offers supposed online support for QuickBooks, displaying a fake contact number. 

The second method is more invasive, directing victims to download and install a program that generates a deceptive popup message that again shows a false phone number. 

Previously described in detail by eSentire, these popups exploit the QuickBooks interface, masquerading as legitimate alerts to deceive users into contacting the provided number.

The scam utilizes a malvertising campaign via Google search results, where 'quickbooks download' prompts a malicious sponsored ad to appear at the top. The linked website appears legitimate, featuring the QuickBooks logo and a misleading "Solution Provider" seal. 

Notably, the download is hosted on Dropbox, which should be a red flag for discerning users.

Upon downloading from this site, the victim's system receives two installations. The first is the genuine QuickBooks software, while the second, hidden installation is a backdoor program named 'zeform.exe.' 

This binary is engineered to integrate seamlessly with QuickBooks, triggering fake error messages that mimic authentic software alerts.

This application is written in Microsoft .NET and utilizes methods to control the timing and appearance of these popups. The deceptive messages are encoded in Base64, a technique likely intended to evade detection by antivirus programs.

This ongoing scam campaign threatens QuickBooks users by instigating unwarranted alarms through bogus error messages. Users believing these errors are authentic may unwittingly contact fraudsters for assistance. 

Often, victims are instructed to download remote access software, allowing scammers unauthorized entry to their systems. This poses further risks, including potential malware installation and theft of personal information, such as passwords.

The Google Ads search results are getting out of hand lately as the number of malicious websites bypassing safeguards increases. Recently, a new malvertising campaign impersonating eBay’s customer service redirected to counterfeit websites containing scam phone numbers.