« Microsoft Legal Department Malware Lure | Main | Your Telephone Account Number »

January 26, 2012

I love it when crooks make simple mistakes that cost them. Look at the following email message claiming to come from Intuit (the accounting and tax return software company):

From: INTUIT INC.
Subject: Your tax information needs verification.

Dear Account Holder,

In order to guarantee that correct data is being maintained on our systems, as well as to provide you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have discovered, that your name and/or Employer Identification Number, that is indicated on your account does not correspond to the data obtained from the IRS and/or SSA.

In order to check and update your account, please click here.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Is this a phishing expedition or a malware lure? It's hard to tell because the doofus failed to set up the botnet spam sender to fill in the actual link. Here's the source code:

<a href="http://{int_link}">click here</a>

The {int_link} text is a placeholder for the actual link to be inserted. My gut feeling is that this template is supposed to be used to lure recipients to a hijacked web site for malware delivery. That's just my, um, intuition based on years of reading this crap.

Anyway, don't be surprised to see a subsequent blast with this social engineering trick — don't want to screw around with tax stuff, right? — but with the link "fixed."

Update (26Jan2012, 1800 PST): He's been going at it now for over six hours and still no change in the URL. He must be scratching his head over why he has zero responses (my favorite number). Here are variations in the Subject: line I've seen personally:

• We need your tax information ASAP.
• Your tax information needs verification.
• Urgent update of tax information is requested.
• Verify the correctness of your tax information.
• Tax Information needed urgently.
• Please update your tax information promptly.
• Verify your information for INTUIT INC..

Message bodies also vary a little, but the basic intention is the same.

Somewhere along mid-run, the idiot figured out how to include the actual image binary data for the Intuit logo header at the top of the message. But he still can't figure out the active link stuff. He must have burned through at least a hundred bucks of botnet time with no chance of payback. I'm doing the Snoopy happy dance.