BEWARE: Intuit Phishing Attack

UGNN SAFENETTINGBe warned – there are a number of fraudulent email campaigns circulating that pretend to be from Intuit. They are phishing attempts, and so far, at least two have attempted to download software to our computer. We have received a series of these in our honey-pots, all similar, and all seem to be coming from the same cybercrime cartel in China through mail gateways in Manila, Honduras, and Lithuania.

These criminals are so sophisticated, they utilize a separate and remote service for each phase of the crime. Sent through an open proxy* or hijacked email account, linking to a redirect page on a compromised server in another country, resolving to another compromised server in yet another country. However, we cannot know for sure where the money is going until an actual purchase is made.

Intuit Phishing

This is what the criminal email might look like on your computer If you receive email like this, take a look at who is named in the email, and HOVER your cursor over the link to see where it goes. One example here goes to Malabon City, Manila, PH, and the other to a server in Kaunas, LT Lithuania. We cannot be sure who the criminals are — According to the registrar GoDaddy, the domain belongs to Reyes, Niche of The Pep Team in Tegucigalpa, Fco. Morazan 11101 Honduras. However we suspect this is forged because the hosting server 31.170.163.183 is actually in Lithuania, yet is owned by a U.S. company ENOM – Namecheap.com.

Here’s where it begins to STINK. A number of the spams take you to domains owned by OnlineNIC, Inc. in Alameda, Ca, USA., registered by a Chinese company 35 Technology Co., Ltd. China. Their registrar of record is Beijing Innovative Linkage Technology Ltd. — BOTH listed as rogue entities by Knujon*

BEWARE: This same criminal cartel is running spam phishing attempts to different sites, using different emails, with subject lines, similar to these: “Your QuickBooks software order,” “Your Intuit.com order,” “Your Intuit.com order status,” “Your Intuit.com order confirmation,” “Your Intuit.com invoice,” “Please confirm your Intuit.com invoice.”

If you suspect you have received a phishing email from Intuit, please forward it immediately to spoof@intuit.com. Yesterday, Intuit posted their own security alert on this, as they do all reported attacks:

Fake Email: Intuit order confirmations
Fake Email: Intuit order confirmations security.intuit.com


Follow the InfoManager’s previous Safenetting Alerts

DO NOT CLICKThanks for reading…

Fred Showker

You can also keep up with the efforts to curb spam and cybercrime by reading the news at
GO Knujon and
GO HostExploit.com. And, you should
GO switch to SpamCop and take a stand against spam.