Cyberattacks have found their way into the accounting industry and have created a need for cybersecurity for accountants. New research shows that attackers are targeting accountants to gain access to their clients' financials. Increasing cybersecurity is necessary to protect sensitive data, including customers' personal information, email addresses, passwords and social security numbers.
Besides marking their accounting targets, cyber attackers also take into account the best moment to strike. For example, threat actors target accountants when they are the busiest - managing end-of-the-year tasks and filing tax returns. Since March 2020, there has been a 300% uptick in strikes against accounting practices, making a strong case to strengthen the cybersecurity for accountants and their computer applications and networks used to manage their client data and confidential data. The Gootlloader campaign is one example of the possible dangers that target accounting firms and enterprises, specifically their devices and systems.
Gootloader — a kind of stealthy initial access malware that can infect the victim’s systems with ransomware or other lethal malware — was first discovered in 2020. It had been bugging the employees of accounting firms for the past few weeks before launching a broadside on a slew of reputable firms on January 6. Gootloader can infect any device via email phishing campaigns from mobile phones and tablets to computers and servers. Since it has the ability of self-propagation (meaning that it replicates itself without user intervention), Gootloader’s victims don’t even know this ransomware strain has hit them.
There are several methods through which Gootloader delivers malware to the systems of potential targets. Such methods may include fake updates and trojanized applications. Gootloader has compressed but heavily obfuscated JavaScript code bypassing most security controls.
Gootloader also enters a system through poisoned search results, a.k.a. SEO poisoning. SEO poisoning happens when attackers erect malicious websites and perform search engine optimization to rank them in the top 10 search results. Whenever a business professional or an employee of an accounting firm uses the search engine to get sample business agreements, contracts, proposal documents, etc., the malicious sites appearing at the top of the results page trick them into clicking on malicious content masquerading as informative links. The moment they click the download button, Gootloader infiltrates their system and wreaks havoc.
The typical aim of a Gootloader infection is for ransomware or Cobalt Strike to be downloaded onto the target's system. It has quickly become the go-to method for cybercriminals to access a victim's system using malware like Gootloader and create a direct attack. It is undoubtedly one of the most popular tools in a cybercriminals toolbox.
Gootloader hackers are clever; they lure their targets to compromised websites with plenty of business-specific content (for instance, free samples of documents). These compromised websites actively use WordPress as their CMS and even represent businesses in the hospitality, education, healthcare, and retail sectors. Such a diversified and broad range of content helps attackers populate the web and increases the probability of infecting systems. Cybersecurity experts suggest it is imperative to check the credibility of a website before browsing or downloading content from it.
According to the latest reports, hackers have created over 100,000 corrupted web pages of several websites from a gamut of sectors. They had even hacked a 150-page website offering postnuptial or intellectual property agreements.
The design of Gootloader shows its goal is intelligence gathering. Besides being good at intel gathering, it also effectively delivers malicious and corrupted payloads like cobalt strikes. Each activity of Gootloader draws power from social engineering, SEO poisoning, and payload designing. The tactic of luring professionals to corrupt websites by offering free business agreement templates is highly effective, especially for accounting employees or business owners, as they often need to create business documents.
Protect your organization from cyberattacks by ensuring employee awareness and vigilance around cybersecurity. Recommend using only trusted sites and include it as part of your cyber hygiene and protocols. Also, train your employees to check the content before downloading it from a website. Cyberattacks are imminent, and cybersecurity for accountants is a must.
For an in-depth understanding of Gootloader or to ensure your accounting system's infrastructure and applications are secure, get in touch with Packetlabs’ cybersecurity experts.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.