Landshark Information Technology

Remote Desktop Used to File Fraudulent Tax returns from a CPA through Lacerte

This post will be dedicated to a targeted attack that our firm recently dealt with. We were asked to take a look at a Certified Public Accountant who knew that they were hacked after they discovered that some of their clients had seemly already filed returns when they went to file them. 

We discovered that the attacker had gotten a hold of their remote desktop login information through their home laptop. As they did not want to boot up the laptop at all, we do not know the exact vector of attack there, though we can speculate considering the timing that a targeted Ad or email with a malware payload are by far the most likely vectors.

Once they had their information, the criminals proceeded to log in at times ranging from 12 AM to 5 AM. We know it was not the accountants as we see in their Remote Desktop logs a wide range of IPs from Ireland to Georgia were used. From there the criminals used Lacerte Tax prep software - from Intuit, the makers of QuickBooks and other popular accounting software - to file dozens of fraudulent tax returns on behalf of the CPA's clients'.

The insidiousness of this attack demonstrates a key weakness in working from home. Though Remote Desktop was used in this case, considering the method of interception, it would not have mattered what manner of remote access was in use as the login information would have been compromised by the key-logger/whatever was installed on the home laptop.

It is also highly unfortunate that their first call with Lacerte/Intuit did not get flagged right away as possible fraud, they were told that it should be all right, and maybe they made some changes they don't remember. They could have prevented the follow up fraud had they started looking into it immediately.

This all together demonstrates the weakness of any kind of passive security. Though good security on the home computer might have caught this, there is no guarantee that the software was simply not too new to get caught. And on the work computer, there was never any malware at all, as it was accessed using legitimate credentials. (Though it was possible to prevent this particular method of access by limiting the firewall to only allow login from the home IP address). 

In this case it was possible to prevent with passive security if all of the settings had been there, but adjust the parameters just slightly, and nothing at all would have helped. Only having someone regularly take a look for suspicious activity would really stop something like this.

It is also worrying about the targeted nature of this attack. Considering the timing, someone out there set out with the specific goal of finding a CPA that they could get to so as to exploit in this manner. These criminals were clearly after access to Lacerte in the first place. Anyone with remote access during tax season should audit their logs to be sure that nothing similar was going on.

Sign up for our newsletter!