Spam Campaign Targets QuickBooks Users

Spam campaigns based on tax-related issues are nothing new. In fact, there’s a long tradition (relative to the lifespan of the Internet) of phishing and malware campaigns that focus on tax time, just when people are freaking out over getting their documents together, bemoaning complex forms that couldn’t be deciphered by a mathematician, and wondering when the pain will end. Capitalizing on people’s fears, it would seem, is good business for spammers.

Worry not. You haven’t gone to sleep and woken up six months later, only to find you have ‘til midnight tonight to file your return. It’s still the fall. Tax season is over for the moment. Unfortunately, that doesn’t mean the Internet is a safe place to traverse until spring rolls around.  Spammers and scam artists need to eat, too, and if they have their way, it will be a Merry Christmas indeed for them and not so much for users of the ever-popular QuickBooks accounting software.

Intuit’s software, used for tax preparation, accounting, billing and financial management, is quite popular with businesses in the U.S. and Canada, and users of the software are prime targets for malicious spam attacks. So it’s not surprising that GFI Labs is reporting that there’s a new email campaign targeting users of Quickbooks.

The campaign, which comes in the form of a phishing email that looks more polished than your average phishing attack, promises free shipping to customers who order tax form kits for their accounting software. To make the message more compelling and believable, the message uses a ‘special offer code’ and advises users to act quickly, because the offer will expire on December 14.

The email message also contains several links, all of which deliver their payload when clicked. Clicking a link results in the message

“Connecting to Server…” for a few moments before redirecting the poor bugger who clicked it to a website whose IP address, GFI reports, “has been / is still associated with Blackhole Exploit Kit and Java exploits.”

Needless to say, the clicker has now been silently infected with whatever exploits lurk on the link.

This isn’t the first Quickbooks scam that we’ve seen. As stated earlier, users of financial software are prime targets for spammers, and phishing campaigns can be quite lucrative for scam artists when they snare a target. Intuit has even posted tips on its website to help users recognize the warning signs of malicious unsolicited emails, but alas, people who go out and find that link have probably already tumbled down the rabbit hole. Whether the campaign offers incentives, such as the free shipping offered in this most recent exploit, or whether it scares users into action, the end result can be disastrous.

Scary Real

What makes this recent phishing attack scary is how it passes the first glance test. Normally, formatting issues, poor language, and ‘just plain fake’ queues will tip off even the most uninformed users. This one, however, leads with large, friendly lettering offering ease of use and free shipping, a little technical information that suggests legitimacy (IRS-Approved  2012 W-2 and 1099 Tax Forms), formatting that, even though it lacks a logo for Intuit or Quickbooks, looks professional and clean, and language that appears professional and free of the bad grammar and typos you’d normally expect from a spammer.

The email doesn’t go out of its way to offer promises of untold wealth to its targets, either, instead pushing what seems like a pretty basic and reasonable incentive. As if a signature on a masterpiece painting, it even provides a small disclaimer at the bottom: “*Free W-3s not available with W-2 Blank Perforated Paper kit orders,” giving it that last little brushstroke of legitimacy and perhaps putting to rest any concerns that a recipient of this email might have.

Time to Remind Your Users

No matter how legitimate this beast looks, Christopher Boyd at GFI Labs has the correct advice:

“it’s a bad time to be randomly opening dubious emails from complete strangers.”

And that’s the point you need to pass on to your users. Humans, by nature, are visual creatures, and although they’ve been trained to spot the fakes – the crap emails that we’re normally accustomed to receiving – it may not occur to them that something that looks legit could also be a fake.

Remind users that anything that finds its way to their inboxes could be a security risk. Just because you’ve opened your front door on a hot day to let the cool breeze in, it doesn’t mean you’re inviting strangers to walk right in.

Written by Malcolm James

0 Comments

  1. Davinci · October 9, 2012

    Haha! I just finished reading that blog post about Twitter. A few days ago, I came across the article about Amazon. Then this one. I really can’t help but comment. It looks like there’s no letting up! It seems they’re all of a sudden coming up with a very aggressive campaign. Is this going to be in exchange for the gradual decrease of spam? It wouldn’t be long before all the websites and apps we loved have already been hijacked by these scammers. The more that we wouldn’t feel safe browsing online. I really hope the authorities can also dig deeper into this issue.

  2. Lisa S. · October 10, 2012

    Their timing surprises me a bit – this type of scam is more suitable for the end of the financial year, or maybe now they are targeting budget preparation time or something? The worst is that it looks so real, nothing like the Nigerian princes and other such stuff.

  3. Rob Dawson · October 12, 2012

    I definitely agree with Davinci. It is scaring the shit out of me right now since I am not working with a professional bookkeeper but relying on these tools to help me out. A lot of my friends are using the software too. So if this gets messed up by spam or any kind of hijacking, just imagine what kind of problem it can give us, especially when it comes to our finances. But I’m also wondering if someone has decided to bring this matter up to Quickbooks. I haven’t received any formal announcement from them—or did I just miss it?

Leave A Reply