IRS/Quicken spam leads to exploit kits and malware

by Chester Wisniewski on February 7, 2012 | 2 Comments

Filed Under: Featured, Malware, Spam

Blackhole image courtesy of ShutterstockWith tax season upon us in many countries it is that time where scammers try to take advantage of the situation and lead you to tax-related malicious links.

SophosLabs has seen a large number of emails purporting to be from Intuit, the company that makes QuickBooks bookkeeping software.

Sophos anti-spam products have been detecting and blocking these messages for quite some time, but the messages are so convincing that our own customers have been reporting the blocks to us as false-positives!

Spam pretending to be Intuit

The spam reads:

Good afternoon,

With intent to guarantee that accurate information is being maintained on our systems, as well as to improve the quality of service we can provide to you; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

For some reason your name and/or Taxpayer Identification Number, that is specified on your account is different from the information obtained from the IRS.

In order to check and correct the information on your account, please use the following link.

Yours sincerely,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Intuit have posted a warning to their security center advising customers that this may be a phishing attack, unfortunately it is a lot worse than that.

People who decided to click on the link contained in the email are directed to a web page that contains JavaScript representative of the sites infected with the Blackhole exploit kit.

Blackhole JS redirect

Sophos endpoint customers are protected from Blackhole redirects as Mal/JSRedir-H and if they are running endpoint web filtering they will also be blocked from accessing the URLs by Mal/HTMLGen-A.

Blackhole blocked by Sophos Anti-Virus

Depending on which browser and plugins you may be running the Blackhole exploit kit can exploit the vulnerable ones and deliver a malicious payload, many times fake anti-virus (scareware).

To learn more about the Blackhole exploit kit, download the Sophos Security Threat Report 2012 and listen to this podcast where Paul Ducklin and I discuss the Blackhole exploit kit.


(3 February 2012, duration 14:13 minutes, size 13.7 MBytes)

Tags: , , , , , , ,

2 Responses to IRS/Quicken spam leads to exploit kits and malware

  1. J G says:
    February 7, 2012 at 12:13 pm

    By the way, Quicken and Quickbooks are two different things. :)

    Reply Report comment
  2. Michael Runzler says:
    February 7, 2012 at 6:56 pm

    Thanks for helping spread the word on this phishing scam. Anyone who has received this or other suspicous emails purporting to be from Intuit can forward it to us at spoof@intuit.com and we'll continue to investigate.

    Michael Runzler, Intuit Corporate Communications

    Reply Report comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski or send him an email at chesterw@sophos.com.