North Bay Web
Web Design & Development

View Blog Archive The North Bay Web Blog > New Quick Books Intuit Phishing Scam, BEWARE!

Category - General
Posted - 10/01/2020 03:46pm
0 Comments | Add Comment New Quick Books Intuit Phishing Scam, BEWARE!
So far today I have received 4 of these, all for different amounts, that alone should clue me in that something is wrong, but let's take a closer look anyway. Maybe I bought a bunch of things in my sleep.
I have to say, at first glance, these look a lot like the invoices that Quickbooks generates, so how do I know it's fake.
The first thing that I notice is that it's coming from an email address simply titled "Invoice", that seems strange to me. If I right click on the address it reveals an address that looks like it could be coming from quickbooks, but it still doesn't look quite right as the invoice is coming from quickbooks@notification.intuit.com.
Looking at that email address I have to wonder why Intuit would have needed to use a subdomain (notifications.intuit.com) when notifications@intuit.com would have made more sense, but hey, is that enough to convince me it's fake? Maybe not.
Screen_Shot_2020_10_01_at_12.51.00_PM_1.png

So let's look at some other things. No misspelled words and Logo looks real, but that's easy to snag and copy. 
If I look at the "Print or save" button, I see it's not right, why is Print capitalized and save is not, they are alternate options not a sentence, so whoever or whatever wrote it, did so grammatically, not graphically. This is simply not consistent with a company as large and corporate as Intuit. They don't make mistakes, not like that, if they did, you wouldn't trust them.

Screen_Shot_2020_10_01_at_12.59.46_PM_1.png

Right clicking on the button reveals the contextual drop down menu where I can Copy the Link.

Screen_Shot_2020_10_01_at_1.06.19_PM_1.png

and pasting it into my Text editor reveals the link, which certainly doesn't look like Intuit to me.

https://chinaxiantao.cn/accompany.php

Who knows, maybe the US changed the Trade rules and Intuit can have offices in China now, but just to be safe, let's look at the message headers.

Screen_Shot_2020_10_01_at_12.15.15_PM_1.png

In the first part of the header we see all kinds of things that should alert us:

query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: intuit.com] 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60% [score: 0.4999] 0.0 HTML_MESSAGE           BODY: HTML included in message 0.5 KAM_NUMSUBJECT         Subject ends in numbers excluding current years 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods 2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS 0.0 T_REMOTE_IMAGE         Message contains an external image

X-Spam-Bar: ++++

Return-Path: <sallying@mta.notifications.intuit.com>

Return-Path: <sallying@mta.notifications.intuit.com>



  • The URIBL (black list) query was blocked
  • The probable spam score is 40 - 60%
  • It's coming from KAM_LAZY_DOMAIN_SECURITY, which certainly isn't Intuit.
  • The sending domain has no anti-forgery-methods
  • There is no Return DNS information from the server









Add a Comment