Sophos Cloud Optix
With tax season upon us in many countries it is that time where scammers try to take advantage of the situation and lead you to tax-related malicious links.
SophosLabs has seen a large number of emails purporting to be from Intuit, the company that makes QuickBooks bookkeeping software.
Sophos anti-spam products have been detecting and blocking these messages for quite some time, but the messages are so convincing that our own customers have been reporting the blocks to us as false-positives!
The spam reads:
Good afternoon,
With intent to guarantee that accurate information is being maintained on our systems, as well as to improve the quality of service we can provide to you; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.
For some reason your name and/or Taxpayer Identification Number, that is specified on your account is different from the information obtained from the IRS.
In order to check and correct the information on your account, please use the following link.
Yours sincerely,
INTUIT INC.Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043
Intuit have posted a warning to their security center advising customers that this may be a phishing attack, unfortunately it is a lot worse than that.
People who decided to click on the link contained in the email are directed to a web page that contains JavaScript representative of the sites infected with the Blackhole exploit kit.
Sophos endpoint customers are protected from Blackhole redirects as Mal/JSRedir-H and if they are running endpoint web filtering they will also be blocked from accessing the URLs by Mal/HTMLGen-A.
Depending on which browser and plugins you may be running the Blackhole exploit kit can exploit the vulnerable ones and deliver a malicious payload, many times fake anti-virus (scareware).
To learn more about the Blackhole exploit kit, download the Sophos Security Threat Report 2012 and listen to this podcast where Paul Ducklin and I discuss the Blackhole exploit kit.
(3 February 2012, duration 14:13 minutes, size 13.7 MBytes)
By the way, Quicken and Quickbooks are two different things. 🙂
Thanks for helping spread the word on this phishing scam. Anyone who has received this or other suspicous emails purporting to be from Intuit can forward it to us at spoof@intuit.com and we'll continue to investigate.
Michael Runzler, Intuit Corporate Communications