Sponsored by..

Thursday 1 March 2012

"Your intuit.com order confirmation" spam / curchamp.com (

This fake "Intuit order" spam leads to malware. Apparently it was sent from Careerbuilder (which is kind of odd). Also note the "spoofing" warning near the bottom!

From: INTUIT INC. [mailto:noreply@careerbuilder.com]
Sent: 01 March 2012 14:30
Subject: Your intuit.com order confirmation.

  Dear Customer:

Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered multiple items, we may process them in more than one shipment (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.


Please download your complete order
id #443475245229 information at Intuit small business website.


•    Email us at mktplace_customerservice@intuit.com.
•    Call us at 1-800-955-8890.
•    Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.

©2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The link goes through two legitimate hacked sites and ends up on curchamp.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on (Linode, US). This attempts to use a variety of exploits to take over the user's PC.

Blocking the IP rather than the domain will also stop any other malicious domains on the same server.

1 comment:

CBSiteSecurity said...

Thank you for helping spread a word of caution about these types of messages! Based on the information listed within your original post, we have determined that this is a phishing email that should be disregarded and deleted. This did not originate from CareerBuilder.

Please do not click any of the links within the email or download any attachments.

For more information about Online Fraud, we do offer a Fraud Page for Jobseekers:


Thank you.

CareerBuilder’s Trust and Site Security Team