IRS/Quicken spam leads to exploit kits and malware

Filed Under: Featured, Malware, Spam

Blackhole image courtesy of ShutterstockWith tax season upon us in many countries it is that time where scammers try to take advantage of the situation and lead you to tax-related malicious links.

SophosLabs has seen a large number of emails purporting to be from Intuit, the company that makes QuickBooks bookkeeping software.

Sophos anti-spam products have been detecting and blocking these messages for quite some time, but the messages are so convincing that our own customers have been reporting the blocks to us as false-positives!

Spam pretending to be Intuit

The spam reads:

Good afternoon,

With intent to guarantee that accurate information is being maintained on our systems, as well as to improve the quality of service we can provide to you; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

For some reason your name and/or Taxpayer Identification Number, that is specified on your account is different from the information obtained from the IRS.

In order to check and correct the information on your account, please use the following link.

Yours sincerely,

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Intuit have posted a warning to their security center advising customers that this may be a phishing attack, unfortunately it is a lot worse than that.

People who decided to click on the link contained in the email are directed to a web page that contains JavaScript representative of the sites infected with the Blackhole exploit kit.

Blackhole JS redirect

Sophos endpoint customers are protected from Blackhole redirects as Mal/JSRedir-H and if they are running endpoint web filtering they will also be blocked from accessing the URLs by Mal/HTMLGen-A.

Blackhole blocked by Sophos Anti-Virus

Depending on which browser and plugins you may be running the Blackhole exploit kit can exploit the vulnerable ones and deliver a malicious payload, many times fake anti-virus (scareware).

To learn more about the Blackhole exploit kit, download the Sophos Security Threat Report 2012 and listen to this podcast where Paul Ducklin and I discuss the Blackhole exploit kit.

(3 February 2012, duration 14:13 minutes, size 13.7 MBytes)

, , , , , , ,

You might like

2 Responses to IRS/Quicken spam leads to exploit kits and malware

  1. J G · 1335 days ago

    By the way, Quicken and Quickbooks are two different things. :)

  2. Michael Runzler · 1335 days ago

    Thanks for helping spread the word on this phishing scam. Anyone who has received this or other suspicous emails purporting to be from Intuit can forward it to us at and we'll continue to investigate.

    Michael Runzler, Intuit Corporate Communications

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at