IRS/Quicken spam leads to exploit kits and malware

Blackhole image courtesy of ShutterstockWith tax season upon us in many countries it is that time where scammers try to take advantage of the situation and lead you to tax-related malicious links.

SophosLabs has seen a large number of emails purporting to be from Intuit, the company that makes QuickBooks bookkeeping software.

Sophos anti-spam products have been detecting and blocking these messages for quite some time, but the messages are so convincing that our own customers have been reporting the blocks to us as false-positives!

Spam pretending to be Intuit

The spam reads:

Good afternoon,

With intent to guarantee that accurate information is being maintained on our systems, as well as to improve the quality of service we can provide to you; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

For some reason your name and/or Taxpayer Identification Number, that is specified on your account is different from the information obtained from the IRS.

In order to check and correct the information on your account, please use the following link.

Yours sincerely,

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Intuit have posted a warning to their security center advising customers that this may be a phishing attack, unfortunately it is a lot worse than that.

People who decided to click on the link contained in the email are directed to a web page that contains JavaScript representative of the sites infected with the Blackhole exploit kit.

Blackhole JS redirect

Sophos endpoint customers are protected from Blackhole redirects as Mal/JSRedir-H and if they are running endpoint web filtering they will also be blocked from accessing the URLs by Mal/HTMLGen-A.

Blackhole blocked by Sophos Anti-Virus

Depending on which browser and plugins you may be running the Blackhole exploit kit can exploit the vulnerable ones and deliver a malicious payload, many times fake anti-virus (scareware).

To learn more about the Blackhole exploit kit, download the Sophos Security Threat Report 2012 and listen to this podcast where Paul Ducklin and I discuss the Blackhole exploit kit.

(3 February 2012, duration 14:13 minutes, size 13.7 MBytes)