Bogus funds withdrawal mails claiming to be from financial software company Intuit seek to steal users’ identity, infecting them with malware.
The Intuit spam wave began a few days ago with most e-mails coming from a fake support address of the software provider, subjects containing the words “payroll processing” in one form or another, and various bogus senders.
“Dear XXXX@.net, we obtained your payroll on July 16, 2012 at 5:43AM Pacific Time,” one bogus Intuit e-mail reads. “Funds will be withdrawn from the bank account number ending in: XXXX on July 17, 2012. Amount to be withdrawn: $5,582.22. Paychecks will be transferred to your employees’ accounts on: July 17, 2012.”
Though e-mails contained no attachment, some variants lead users to malware when clicking the download link. Replying to the spoofed e-mail address also gets users in trouble, giving their personal information directly to phishers.
Tired of looking so grammatically-challenged in their attempt to avoid detection, Intuit scammers opted for blurring words and messing with spacing.
“Funds aretypicallywithdrawn before normalbanking hours so please make sure youhave sufficient fundsavailable by 12 a.m. on the date fundsare to be withdrawn.Intuitmustobtain your payroll by 5p.m.,” spam messages read.
To improve their chance of success, e-mails contain a notice at the end to scare unwary users. Adding words such as “critical”, and keeping some parts of genuine notifications to add the flavor of legitimacy to the spam.
Intuit scammers brazenly ask users to report phishing attempts on the official spoof address of the company: “If you need additional information please contact us. If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to [sic] immediately to email@example.com.”
As if it wasn’t confusing enough, a bunch of fake Intuit e-mails seem to come from social network LinkedIn. This isn’t the first time cyber-crooks take advantage of the company’s increased popularity. Last month, soon after a security breach that exposed 6.5 million hashed passwords, Bitdefender Labs spotted a Trojan sneaking into LinkedIn spam attachments.
“People are receiving emails with the title”, “You have received a new payment,” Intuit representatives said in a warning about the fake payroll messages. “This phishing is using a few different emails. Do not click on the link in the email. Send a copy of the email to firstname.lastname@example.org. Do not forward the email to anyone else. Delete the email.” The company also advised users to subscribe to anti-virus software and keep it up-to-date.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
This article is based on the technical information provided courtesy of Ionut Raileanu, Bitdefender Spam Analyst.