Sponsored by..

Monday, 15 October 2012

Intuit spam / navisiteseparation.net

This fake Intuit spam leads to malware on navisiteseparation.net:

Date:      Mon, 15 Oct 2012 15:20:13 -0300
From:      "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject:      Welcome - you're accepted for Intuit GoPayment

GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
Account Number:     XXXXXXXXXXXXXX55
Email Address:     [redacted]
    Associated charges for this service may be applied now.
Next step: View or confirm your Access ID

This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll

The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.

Verify Access ID
Get started:

Step 1: If you have not still, download the Intuit software.

Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.

Easy Manage Your Intuit GoPayment Account

The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements     � 2008-2012 Intuit, INC. All rights reserved.

Sample subjects:

  • Congrats - you're accepted for Intuit GoPayment Merchant 
  • Congratulations - you're approved for Intuit Merchant 
  • Congrats - you're approved for GoPayment Merchant 
  • Welcome - you're accepted for Intuit GoPayment 
The malicious payload is at  [donotclick]navisiteseparation.net/detects/processing-details_requested.php  hosted on (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can.

No comments: