Sponsored by..

Tuesday, 28 August 2012

"QuickBooks Security Update" spam / roadmateremove.org

This fake Intuit spam leads to malware on roadmateremove.org:


Date:      Tue, 28 Aug 2012 11:04:30 -0400
From:      "Intuit Payroll Services" [intuitpayroll@e.payroll.intuit.com]
Subject:      QuickBooks Security Update

You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST™) after 31th of August, 2012.

You can update Intuit Security Tool here.

After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.

This email was sent from an auto-notification system that can't accept incoming email. Please don't reply to this message.

You have received this business communication as part of our efforts to fulfill your request or service your account.
You may receive this and other business communications from us even if you have opted out of marketing messages.

Terms, conditions, pricing, features, and service options are subject to change. View our complete Terms of Service.


The malicious payload is at [donotclick]roadmateremove.org/main.php?page=9bb4aab85fa703f5 (report here) hosted on 89.248.231.122 (Mastak Telecom / JSC Quickline, Russia) along with these other malicious sites:

roadmateremove.org
restoreairpowered.net
allhugedeals.net
classic-poems.net

You can pretty safely assume that 89.248.231.122 is a bad server and should be blocked.

No comments: