BEWARE: Intuit Phishing Attack

UGNN SAFENETTINGBe warned – there are a number of fraudulent email campaigns circulating that pretend to be from Intuit. They are phishing attempts, and so far, at least two have attempted to download software to our computer. We have received a series of these in our honey-pots, all similar, and all seem to be coming from the same cybercrime cartel in China through mail gateways in Manila, Honduras, and Lithuania.

These criminals are so sophisticated, they utilize a separate and remote service for each phase of the crime. Sent through an open proxy* or hijacked email account, linking to a redirect page on a compromised server in another country, resolving to another compromised server in yet another country. However, we cannot know for sure where the money is going until an actual purchase is made.

Intuit Phishing

This is what the criminal email might look like on your computer If you receive email like this, take a look at who is named in the email, and HOVER your cursor over the link to see where it goes. One example here goes to Malabon City, Manila, PH, and the other to a server in Kaunas, LT Lithuania. We cannot be sure who the criminals are — According to the registrar GoDaddy, the domain belongs to Reyes, Niche of The Pep Team in Tegucigalpa, Fco. Morazan 11101 Honduras. However we suspect this is forged because the hosting server is actually in Lithuania, yet is owned by a U.S. company ENOM –

Here’s where it begins to STINK. A number of the spams take you to domains owned by OnlineNIC, Inc. in Alameda, Ca, USA., registered by a Chinese company 35 Technology Co., Ltd. China. Their registrar of record is Beijing Innovative Linkage Technology Ltd. — BOTH listed as rogue entities by Knujon*

BEWARE: This same criminal cartel is running spam phishing attempts to different sites, using different emails, with subject lines, similar to these: “Your QuickBooks software order,” “Your order,” “Your order status,” “Your order confirmation,” “Your invoice,” “Please confirm your invoice.”

If you suspect you have received a phishing email from Intuit, please forward it immediately to Yesterday, Intuit posted their own security alert on this, as they do all reported attacks:

Fake Email: Intuit order confirmations
Fake Email: Intuit order confirmations

Follow the InfoManager’s previous Safenetting Alerts

DO NOT CLICKThanks for reading…

Fred Showker

You can also keep up with the efforts to curb spam and cybercrime by reading the news at
GO Knujon and
GO And, you should
GO switch to SpamCop and take a stand against spam.