Category - General
Posted - 10/01/2020 03:46pm
New Quick Books Intuit Phishing Scam, BEWARE!
So far today I have received 4 of these, all for different amounts, that alone should clue me in that something is wrong, but let's take a closer look anyway. Maybe I bought a bunch of things in my sleep.
I have to say, at first glance, these look a lot like the invoices that Quickbooks generates, so how do I know it's fake.
The first thing that I notice is that it's coming from an email address simply titled "Invoice", that seems strange to me. If I right click on the address it reveals an address that looks like it could be coming from quickbooks, but it still doesn't look quite right as the invoice is coming from email@example.com.
Looking at that email address I have to wonder why Intuit would have needed to use a subdomain (notifications.intuit.com) when firstname.lastname@example.org would have made more sense, but hey, is that enough to convince me it's fake? Maybe not.
So let's look at some other things. No misspelled words and Logo looks real, but that's easy to snag and copy.
If I look at the "Print or save" button, I see it's not right, why is Print capitalized and save is not, they are alternate options not a sentence, so whoever or whatever wrote it, did so grammatically, not graphically. This is simply not consistent with a company as large and corporate as Intuit. They don't make mistakes, not like that, if they did, you wouldn't trust them.
Right clicking on the button reveals the contextual drop down menu where I can Copy the Link.
and pasting it into my Text editor reveals the link, which certainly doesn't look like Intuit to me.
Who knows, maybe the US changed the Trade rules and Intuit can have offices in China now, but just to be safe, let's look at the message headers.
In the first part of the header we see all kinds of things that should alert us:
query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: intuit.com] 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4999] 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current years 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods 2.0 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 T_REMOTE_IMAGE Message contains an external image
- The URIBL (black list) query was blocked
- The probable spam score is 40 - 60%
- It's coming from KAM_LAZY_DOMAIN_SECURITY, which certainly isn't Intuit.
- The sending domain has no anti-forgery-methods
- There is no Return DNS information from the server