Sponsored by..

Tuesday 7 February 2012

INTUIT / IRS malicious spam and advisor-jobhiring.com

Another malicious spam like this one and this one.

Date:      Tue, 6 Feb 2012 09:10:07 +0100
From:      "INTUIT INC." [software@quickbooks.com]
Subject:      Urgent! Tax information needed!.

Dear Sir/Madam,

In order to guarantee that exact information is being sustained on our systems, and to be able to give you better quality of service; INTUIT INC. has participated in the Internal Revenue Service [IRS] Name and TIN Matching Program.

It appears that your name and/or Social Security Number or Employer Identification Number, that is indicated on your account is not in compliance with the information obtained from the SSA.

In order for INTUIT INC. to update your account, please use the following link.

Regards,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

================

Date:      Tue, 6 Feb 2012 09:09:00 +0100
From:      "INTUIT INC." [software@quickbooks.com]
Subject:      Please verify your tax information ASAP.

Hello,

In our continuing effort to guarantee that correct information is being maintained on our systems, and to be able to give you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or TIN, that we have on your account does not correspond to the data obtained from the IRS.

In order to check and update your account, please enter the site.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

The first click is a 0catch free hosting site which then redirects visitors to advisor-jobhiring.com/main.php?page=817d6901506e5d51 (Wepawet report here) hosted on 216.224.230.219 (Phoenix Internet, US) and 173.212.222.36 (HostNOC, US). Blocking the IPs should prevent any other malicious sites on the same server from causing problems. Alternatively, you could block access to the 0catch domains (list here) as they have been abused by spammers before.

No comments: