Spam Campaign Targets QuickBooks UsersWritten by Malcolm James on October 9, 2012
Spam campaigns based on tax-related issues are nothing new. In fact, there’s a long tradition (relative to the lifespan of the Internet) of phishing and malware campaigns that focus on tax time, just when people are freaking out over getting their documents together, bemoaning complex forms that couldn’t be deciphered by a mathematician, and wondering when the pain will end. Capitalizing on people’s fears, it would seem, is good business for spammers.
Worry not. You haven’t gone to sleep and woken up six months later, only to find you have ‘til midnight tonight to file your return. It’s still the fall. Tax season is over for the moment. Unfortunately, that doesn’t mean the Internet is a safe place to traverse until spring rolls around. Spammers and scam artists need to eat, too, and if they have their way, it will be a Merry Christmas indeed for them and not so much for users of the ever-popular QuickBooks accounting software.
Intuit’s software, used for tax preparation, accounting, billing and financial management, is quite popular with businesses in the U.S. and Canada, and users of the software are prime targets for malicious spam attacks. So it’s not surprising that GFI Labs is reporting that there’s a new email campaign targeting users of Quickbooks.
The campaign, which comes in the form of a phishing email that looks more polished than your average phishing attack, promises free shipping to customers who order tax form kits for their accounting software. To make the message more compelling and believable, the message uses a ‘special offer code’ and advises users to act quickly, because the offer will expire on December 14.
The email message also contains several links, all of which deliver their payload when clicked. Clicking a link results in the message
“Connecting to Server…” for a few moments before redirecting the poor bugger who clicked it to a website whose IP address, GFI reports, “has been / is still associated with Blackhole Exploit Kit and Java exploits.”
Needless to say, the clicker has now been silently infected with whatever exploits lurk on the link.
This isn’t the first Quickbooks scam that we’ve seen. As stated earlier, users of financial software are prime targets for spammers, and phishing campaigns can be quite lucrative for scam artists when they snare a target. Intuit has even posted tips on its website to help users recognize the warning signs of malicious unsolicited emails, but alas, people who go out and find that link have probably already tumbled down the rabbit hole. Whether the campaign offers incentives, such as the free shipping offered in this most recent exploit, or whether it scares users into action, the end result can be disastrous.
What makes this recent phishing attack scary is how it passes the first glance test. Normally, formatting issues, poor language, and ‘just plain fake’ queues will tip off even the most uninformed users. This one, however, leads with large, friendly lettering offering ease of use and free shipping, a little technical information that suggests legitimacy (IRS-Approved 2012 W-2 and 1099 Tax Forms), formatting that, even though it lacks a logo for Intuit or Quickbooks, looks professional and clean, and language that appears professional and free of the bad grammar and typos you’d normally expect from a spammer.
The email doesn’t go out of its way to offer promises of untold wealth to its targets, either, instead pushing what seems like a pretty basic and reasonable incentive. As if a signature on a masterpiece painting, it even provides a small disclaimer at the bottom: “*Free W-3s not available with W-2 Blank Perforated Paper kit orders,” giving it that last little brushstroke of legitimacy and perhaps putting to rest any concerns that a recipient of this email might have.
Time to Remind Your Users
No matter how legitimate this beast looks, Christopher Boyd at GFI Labs has the correct advice:
“it’s a bad time to be randomly opening dubious emails from complete strangers.”
And that’s the point you need to pass on to your users. Humans, by nature, are visual creatures, and although they’ve been trained to spot the fakes – the crap emails that we’re normally accustomed to receiving – it may not occur to them that something that looks legit could also be a fake.
Remind users that anything that finds its way to their inboxes could be a security risk. Just because you’ve opened your front door on a hot day to let the cool breeze in, it doesn’t mean you’re inviting strangers to walk right in.