Sponsored by..

Showing posts with label INTUIT. Show all posts
Showing posts with label INTUIT. Show all posts

Monday, 30 November 2015

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 
The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)


The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)


These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212

mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw


Wednesday, 18 November 2015

Mystery "INTUIT QuickBooks" spam leads to unknown malware

This fake Intuit spam leads to malware:

From:    QuickBooks [qbsupport@services.intuit.com]
Date:    18 November 2015 at 14:34
Subject:    INTUIT QuickBooks                                                                                           
QuIckBooks.

As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The link in the email goes to:

kompuser.com/system/logs/update/doc.php?r=download&id=INTUIT-Browser-up1247.zip

This downloads a file INTUIT-Browser-up1247.zip which in turn contains a malicious executable up1247.exe (MD5 563a1f54b9d90965951db0d469ecea6d) which has a VirusTotal detection rate of 2/54. That VirusTotal report and this Hybrid Analysis report show that the malware POSTs data to:

onbrk.in/p7yqpgzemv/index.php

The Malwr report is inconclusive. The payload is unknown, however all of the following domains share the same nameservers and have also been used for malicious activity going back to August.

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The malicious .in domain is hosted on the following IPs:

31.210.116.68 (Veri Merkezi Hizmetleri A.s., Turkey)
188.247.102.215 (DataGroup Dnepr, Ukraine)
89.163.249.75 (myLoc managed IT AG, Germany)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)


Recommended blocklist:
31.210.116.68
188.247.102.215
89.163.249.75
95.173.164.212

kompuser.com
onbrk.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

UPDATE:
This entry at MalwareURL links the namesevers to the Nymaim ransomware.

Thursday, 10 September 2015

Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]

This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:

From     "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
Date     Thu, 10 Sep 2015 06:32:37 -0500
Subject     Payroll Received by Intuit

Dear, petrol
We received your payroll on Sep 10, 2015 at 09:01.

Attached is a copy of your Remittance. Please click on the attachment in order to
view it.

Please note the deadlines and status instructions below:

If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
paid two (2) banking days from the date received or on your paycheck date, whichever
is later. 

If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
days from the date received or on your paycheck date, whichever is later. 

YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.

Funds are typically withdrawn before normal banking hours so please make sure you
have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.

Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
date or your employees will not be paid on time. 

Intuit does not process payrolls on weekends or federal banking holidays. A list
of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Sincerely,

Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software.

If you have any questions or comments about this email, please DO NOT REPLY to this
email. If you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect
is a phishing email, please forward it to immediately to spoof@intuit.com.

© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
trademarks and/or registered service marks of Intuit Inc. in the United States and
other countries. All other marks are the property of their respective owners, should
be treated as such, and may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.

In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.

MD5:
4dbdf9e73db481b001774b8b9b522ebe

Friday, 1 August 2014

"Payroll Received by Intuit" spam / Cryptowall

I haven't seen any fake Intuit spam for a while. This one comes with a malicious attachment:

Date:      Fri, 1 Aug 2014 07:59:12 -0600 [09:59:12 EDT]
From:      Intuit Payroll Services [IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on August 01, 2014 at 09:01 AM EST.

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2014 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706
The attachment in this case is called Remittance.zip and it contains a malicious executable Remittance.exe which has a VirusTotal detection rate of 9/53.

According to the evidence of this very detailed ThreatTrack report [pdf], this is a version of Cryptowall. It makes network connections to various sites including the now-familiar 94.23.247.202.

I recommend that you block the following domains and IPs:
94.23.247.202
theothersmag.com
poroshenkogitler.com
kpai7ycr7jxqkilp.onion2web.com


Tuesday, 15 October 2013

"Payroll Received by Intuit" spam / payroll_report_147310431_10112013.zip

This fake Intuit spam comes with a malicious attachment:

Date:      Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]
From:      Intuit Payroll Services IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on October 11, 2013 at 4:41 PM .

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2013 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
The attachment is payroll_report_147310431_10112013.zip which in turn contains payroll_report_10112013.exe (note the date is encoded into those files).

That executable currently has a detection rate of 9/46 at VirusTotal. Automated analysis [1] [2] [3] shows that it attempt to make a connection to mtfsl.com on 184.22.215.50 (Network Operations Center, US). Blocking those temporarily may give some protection against any additional threats using that server.

Wednesday, 25 September 2013

Intuit spam / Invoice_3056472.zip

It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..

Date:      Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From:      Lewis Muller [Lewis.Muller@intuit.com]
Subject:      FW: Invoice 3056472

Your invoice is attached.

Sincerely,
Lewis Muller

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. 
The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48.

Automated analysis [1] [2] [3] [4] shows the usual sort of badness, including a call home to gidleybuilders.com on 78.157.201.219  (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week. Two compromised domains in a week seems a bit more than a coincidence. For information only, the following legitimate domains are also on that same server:

allcool.co.uk
ashmanufacturing.co.uk
ashmanufacturing.com
ashmanufacturing.net
ashmanufacturing.org
awcoomer.com
beingwell.me
bhmlondon.com
bigtinbox.com
buckmastergames.co.uk
buffey.co.uk
colemansfarm.co.uk
connect4commercial.com
connect4recruitment.com
flestates.co.uk
geocom.co.uk
gidleybuilders.com
graysaccountant.com
intoirelandtravel.com
matthewtomich.com
onlinestoregroup.com
paddlers.co.uk
pedalads.co.uk
pedalads.net
photoaweek.com
pickout.co.uk
richardgidley.com
smudgeinc.co.uk
sofmagazine.com
swim24.com
wakeham.co.uk
wakehamgroup.com
wakehamphotographic.com
westside-village.com



Tuesday, 9 April 2013

Intuit spam / juhajuhaa.ru

This fake Intuit spam leads to malware on juhajuhaa.ru:

Date:      Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.

    Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
    amount to be seceded: 4053 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services 

The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa.ru:8080/forum/links/column.php (report here) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jonahgkio.ru
juhajuhaa.ru
jundaio.ru

Tuesday, 26 February 2013

Intuit spam / forumligandaz.ru

This fake Intuit spam leads to malware on forumligandaz.ru:

Date:      Tue, 26 Feb 2013 01:27:09 +0330
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.

    Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
    amount to be seceded: 3373 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumvvz.ru
forumligandaz.ru

Thursday, 14 February 2013

Intuit spam / epionkalom.ru

This fake Intuit spam leads to malware on epionkalom.ru:

Date:      Thu, 14 Feb 2013 09:05:48 -0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.

    Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
    amount to be seceded: 2246 USD
    Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]epionkalom.ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

Monday, 21 January 2013

Intuit spam / danadala.ru

This fake Intuit spam leads to malware on danadala.ru:

Date:      Mon, 21 Jan 2013 04:45:31 -0300
From:      RylieBouthillette@hotmail.com
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.

    Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
    amount to be seceded: 5670 USD
    Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]danadala.ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

The following malicious domains seems to be active at present:
dekamerionka.ru
danadala.ru
dmssmgf.ru
dmpsonthh.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dfudont.ru

Friday, 11 January 2013

"Payroll Account Holded by Intuit" spam / dmeiweilik.ru

This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik.ru:


Date:      Fri, 11 Jan 2013 06:23:41 +0100
From:      LinkedIn Password [password@linkedin.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.

    Finances would be gone away from below account # ending in 0198 on Fri, 11 Jan 2013 06:23:41 +0100
    amount to be seceded: 8057 USD
    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

====================



From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
Sent: 10 January 2013 21:04
Subject: Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
•    Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
•    amount to be seceded: 9567 USD
•    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
•    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services


The malicious payload is at [donotclick]dmeiweilik.ru:8080/forum/links/column.php hosted on the same IPs as in this attack:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik.ru
demoralization.ru
dimanakasono.ru
bananamamor.ru
dmeiweilik.ru

Friday, 2 November 2012

Intuit spam / savedordercommunicates.info

This fake Intuit spam leads to malware on savedordercommunicates.info:


Date:      Sat, 3 Nov 2012 02:11:17 +0800
From:      "Intuit Information System" [roughervm73@biolconseils.ch]
Subject:      Notification Only: Transaction Received by Intuit

Direct Deposit Service Message
Communicatory Only

We rejected your payroll on November 1, 2012 at 626 AM Central Time.

    Money would be left from the account No. ending in: XXX1 on November 2, 2012.
    quantum to be left: $7 639.16
    Paychecks would be deferred to your staff' accounts on: November, 2, 2012
    Go to web site by clicking here to Overview Transaction

Funds are typically withdrawn before usual banking hours so please make sure you have sufficient Funds accessible by 12 a.m. on the date Finances are to be gone away.

Intuit must complete your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your customers will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve link.

Thank you for your business.

Regards,
Intuit Payroll Services

An substantial information regarding latest Refused Transactions is waiting for you.

Please DO NOT reply to this message. automative notification system not configured to accept incoming messages..

Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries.

Intuit Inc. Customer Care
87566

San Paolo City, AZ 15203

The malicious payload is at [donotclick]savedordercommunicates.info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich.org. Blocking this IP would be wise.


Tuesday, 23 October 2012

Intuit spam / montrealhotpropertyguide.com

This fake Intuit spam leads to malware on montrealhotpropertyguide.com:


Date:      Tue, 23 Oct 2012 14:45:14 +0200
From:      "Intuit QuickBooks Customer Service" [35378B458@aubergedesbichonnieres.com]
Subject:      Intuit QuickBooks Order


   
Dear [redacted],



Thank you for placing an order with Intuit QuickBooks!

We have received your payment information and it is currently being processed.
   
   
    ORDER INFORMATION    
       
Order #:    366948851674
Order Date:    Oct 22, 2012

[ View order ]

Qty     Item     Price
1     Intuit QuickBooks Pro Download 2 2012     $183.96***

   
Subtotal:
Sales Tax:
Total for this Order:
   
$183.96
$0.00
$183.96
*Appropriate credit will be applied to your account.



Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.

       
    NEED HELP?    
       

Questions about your order? Please visit Customer Service.

       
       
           
Join Us On Facebook
           
           
           
           
Close More Sales
           

           
           
Save Time
           
           
           
   


Privacy | Legal | Contact Us | About Intuit

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.



If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.



Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.



� 2012 Intuit Inc. or its affiliates. All rights reserved.

The malicious payload is on [donotclick]montrealhotpropertyguide.com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US).

Monday, 15 October 2012

Intuit spam / navisiteseparation.net

This fake Intuit spam leads to malware on navisiteseparation.net:


Date:      Mon, 15 Oct 2012 15:20:13 -0300
From:      "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject:      Welcome - you're accepted for Intuit GoPayment

       
.
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number:     XXXXXXXXXXXXXX55
Email Address:     [redacted]
   
PLEASE NOTE :
    Associated charges for this service may be applied now.
Next step: View or confirm your Access ID



This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll


The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.



Verify Access ID
Get started:



Step 1: If you have not still, download the Intuit software.



Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.



Easy Manage Your Intuit GoPayment Account

The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements     � 2008-2012 Intuit, INC. All rights reserved.


Sample subjects:

  • Congrats - you're accepted for Intuit GoPayment Merchant 
  • Congratulations - you're approved for Intuit Merchant 
  • Congrats - you're approved for GoPayment Merchant 
  • Welcome - you're accepted for Intuit GoPayment 
The malicious payload is at  [donotclick]navisiteseparation.net/detects/processing-details_requested.php  hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can.


Friday, 5 October 2012

"Intuit GoPayment" spam / simplerkwiks.net

This fake "Intuit GoPayment" spam leads to malware on simplerkwiks.net:


Date:      Fri, 5 Oct 2012 15:54:26 +0100
From:      "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject:      Welcome - you're been granted access for Intuit GoPayment Merchant

       
.
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.:     XXXXXXXXXXXXXX16
Email Address:     [redacted]
   
NOTE :
    Additional charges for this service may now apply.
Next step: Confirm your User ID



This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll


The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.



Verify UserID
Get started:



Step 1: If you have not still, download the Intuit application.



Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.



Easy Manage Your GoPayment System

The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements     � 2012 Intuit, Inc. All rights reserved.


The malicious payload is at [donotclick]simplerkwiks.net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy.net
officerscouldexecute.org
simplerkwiks.net
strangernaturallanguage.net
buzziskin.net
art-london.net


Monday, 1 October 2012

Intuit Shipment spam / art-london.net

This terminally confused Intuit / USPS / Amazon-style spam leads to malware at art-london.net:


Date:      Mon, 1 Oct 2012 21:31:57 +0430
From:      "Intuit Customer Service" [battingiy760@clickz.com]
To:      [redacted]
Subject:      Intuit Shipment Confirmation

   

Dear [redacted],

Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.

Thank you for your interest.
   
    ORDER DETAILS    
    Order #: ID859560
Order Date: Sep 25, 2012

Item(s) In Your Order

Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217

Quantity     Item
1     Intuit Card Reader Device - Gray

Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.

Shipment Information:

We sent your item(s) to the next address:

065 S Paolo Ave, App. 5A
S Maria, FL

Email: [redacted]   
       
       
       
    Questions about your order? Please visit Customer Service.

Return Policy and Instructions
   
       
       


Privacy | Legal Disclaimer | Contact Us | About

You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications.



Please note: This email was sent from an automative notification system that not configured to accept incoming mail. Please don't reply to this message.



�2008-2012 Intuit Llc. or its affiliates. All rights reserved.
The malicious payload is at [donotclick]art-london.net/detects/stones-instruction_think.php  hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domains buzziskin.net and  indice-acores.net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless.

Evolution1 spam / 69.194.194.221

I haven't seen this spam before, it leads to malware on 69.194.194.221:


Date:      Mon, 01 Oct 2012 15:44:59 +0200
From:      "INTUIT" [D6531193@familyhealthplans.com]
Subject:      Information regarding Employer Contribution



INTUIT





Attn: Account Holder



You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:



http://intuithealthemployer.lh1ondemand.com



Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.



Intuit Health Debit Card Powered by Evolution1 Employer Services.



This is a system generated email. Please do not respond.



� Copyright, Evolution1, Inc. 2004-2012,

ALL RIGHTS RESERVED

Powered by Lighthouse1TM, a product of Evolution1TM



The malicious payload is on 69.194.194.221 (Solar VPS, US) which is the same IP as found in this attack.

Thursday, 27 September 2012

Intuit spam / buycelluleans.com

This fake Intuit spam leads to malware on buycelluleans.com

From: Intuit PaymentNetwork [mailto:treacheriesz2@luther.k12.wi.us]
Sent: 27 September 2012 15:24
Subject: Your payroll verification is started by Intuit.


Direct Deposit Service System information
Request status

Dear [redacted]
We received your payroll on September 27, 2012 at 3:28 AM Pacific time.
•    Funds will be transitioned from the bank account number: 6 XXXXX1345 on September 28, 2012.
•    Amount to be withdrawn: $1,107.47
•    Paychecks would be transferred to your employees' accounts on: September 28, 2012
•    Please take a look at your payroll here.
Funds are typically withdrawn before normal bank working hours so please make sure you have sufficient funds available by 12 a.m. Pacific time on the date funds are to be processed.
Intuit must obtain your payroll by 5 p.m. Pacific time, two banking days before your payment date or your personnel payment will be aborted. QuickBooks doesn't proceed payrolls on weekends and federal banking legal holidays. A list of federal banking off-days can be accessed at the Federal Reserve holyday schedule}.
Thank you for your business.
Sincerely,
Intuit Services
NOTICE: This information was sent to inform you of a some actions at your account or software. Please mind that if you confirmed option of receiving informative materials from Intuit QuickBooks you may continue to receive informational materials similar to this message that affect your service or software.
If you have any questions or comments about this email please DO NOT REPLY to this message. If you need further information please contact us.
If you receive an message that appears to come from Intuit but that you suspect is a scam email, submit it on a link below customer feedback .
Copyright 2008-2012 Intuit Inc. QuickBooks and Intuit are registered of or registered service marks of Intuit Inc. in the US and other countries. This email message is not intended to supplement, modify or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Information Services
2816 A. Commerce Center Place, Tucson, AZ 84516

The malicious payload is at [donotclick]buycelluleans.com/detects/groups_him.php (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). This IP address has been used several times for malware distribution and should be blocked if you can.

Monday, 17 September 2012

Intuit.com spam / kerneloffce.ru

This fake Intuit.com spam attempts to load malware from kerneloffce.ru:


Date:      Mon, 17 Sep 2012 08:54:50 -0600
From:      "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject:      Your Intuit.com software order.
Attachments:     Intuit_Order_A49436.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION

Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.


The malicious payload is at kerneloffce.ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked. The following domains and IP addresses are all related:

moskowpulkavo.ru
omahabeachs.ru
kerneloffce.ru
46.51.218.71
50.56.92.47
62.76.188.246
62.76.190.50
87.120.41.155
91.194.122.8
132.248.49.112
178.63.51.54
203.80.16.81

Tuesday, 28 August 2012

"QuickBooks Security Update" spam / roadmateremove.org

This fake Intuit spam leads to malware on roadmateremove.org:


Date:      Tue, 28 Aug 2012 11:04:30 -0400
From:      "Intuit Payroll Services" [intuitpayroll@e.payroll.intuit.com]
Subject:      QuickBooks Security Update

You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST™) after 31th of August, 2012.

You can update Intuit Security Tool here.

After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.

This email was sent from an auto-notification system that can't accept incoming email. Please don't reply to this message.

You have received this business communication as part of our efforts to fulfill your request or service your account.
You may receive this and other business communications from us even if you have opted out of marketing messages.

Terms, conditions, pricing, features, and service options are subject to change. View our complete Terms of Service.


The malicious payload is at [donotclick]roadmateremove.org/main.php?page=9bb4aab85fa703f5 (report here) hosted on 89.248.231.122 (Mastak Telecom / JSC Quickline, Russia) along with these other malicious sites:

roadmateremove.org
restoreairpowered.net
allhugedeals.net
classic-poems.net

You can pretty safely assume that 89.248.231.122 is a bad server and should be blocked.