Intuit users, beware!

Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on any of them, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign: hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.skullisland.ca/inproldet.html; hxxp://pozycjonowanie.profi-group.pl/inproldet.html; hxxp://www.transplantexperience.in/inproldet.html; hxxp://www.luxense.eu/inproldet.html; hxxp://media.ted.fr/sites/inproldet.html; hxxp://tacmap.jp/sites/inproldet.html; hxxp://spiler.hu/inproldet.html; hxxp://archaeology.tau.ac.il/inproldet.html; hxxp://www.tecfedericotaylor.edu.gt/inproldet.html; hxxp://www.viaherworld.com/inproldet.html

Client-side exploits serving URL: hxxp://savedordercommunicates.info/detects/bank_thinking.php; hxxp://savedordercommunicates.info/detects/bank_thinking.php?
eony=3833043409&ujmp=36&akemejo=03370b370a33070b0207&lwv=0a000300040002

Upon loading, the malicious URL attempts to drop a PDF on the affected host that’s exploiting CVE-2010-0188. Once successful, the client-side exploit then drops additional malware.

Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 – detected by 14 out of 44 antivirus scanners as Trojan.Win32.Bublik.qqf

Client-side exploits serving domain reconnaissance:
savedordercommunicates.info – 75.127.15.39, AS36352 – Email: heike_ruigrok32@naplesnews.net
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak.com
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90, AS209

We’ve already seen the same name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.

Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich.org

This isn’t the first time that we’ve intercepted Intuit themed malicious campaigns. Consider going through previous analyses profiling malicious campaigns impersonating the company:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This