QuickBooks Security Tool email scam leads to malware
This morning I received a new scam email claiming to come from [email protected], containing the following come-on text:
You will not be able to access your Intuit QuickBooks account without Intuit Security Tool (ISTâ„¢) after 31th of October, 2011.
You can download Intuit Security Tool here...
The camouflaged link had a .nl domain, so I plugged it into Wannabrowser and followed multiple redirects, ending up in Russia.
The first location, a compromised, or exploited server in The Netherlands (within 87.233.0.0/18), contained three links to JavaScript files on three different compromised domains. All three files were named js.js and contained another redirection to a subdomain of a domain named "serveirc.com" - hosted on no-ip.com, which bills itself as: "Dynamic DNS, Static DNS for Your Dynamic IP." The redirect from no-ip.com went to a server in Moscow, Russia, where I have traced much badware in recent weeks. The destination page is either cloaked to me, or devoid of content (possibly from SpamCop reports, such as I filed).
The Russian company hosting these exploits is named "Serverfarm" and owns the domain: MSM.RU. The IP hosting the QuickBooks scam exploit (95.163.89.193) is part of the CIDR: 95.163.0.0/16 - which is already on my Russian Blocklist, for hosting previous exploits.
FYI: the payload page is named: /main.php?page=b0374286c079f294
This scam is no different than its predecessors, the Scan From A Xerox Workstation and Scan From An HP Printer, both of which led to malware exploit kits that infected victim computers with the Zeus Trojan and a botnet installer. Delete such emails on sight.
Note: if you are a QuickBooks (actually intuit.com) customer and receive a questionable email claiming to be from them, hover your mouse over the links without clicking on them, to make sure they all point to intuit.com. This scam had a link on the word "here" which was the only one leading to the exploit site. Look closely at the links in action words. The actual destination will be revealed in your statue bar. If the action link doe not go directly to intuit.com, it is a scam, meant to harm your computer and steal money from your business.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.