Hack Attack on QuickBooks Users Goes from Bad to Worse

As if it wasn’t bad enough that hackers are scamming QuickBooks users right in the heart of tax season, Intuit’s cure may be worse than the original scam: This week Intuit issued an alert to QuickBooks users warning of a “fake e-mail,” but then sent users to a site that itself is infected with malware.

According to Intuit's alert, “People are receiving an e-mail entitled (sic) ‘Tax Information Needed within 30 days.’ There are other similar versions also being sent to people.”

The e-mail itself is well-crafted and could easily mislead users, mainly small-business owners, into responding. Here is what he fake e-mail says:

(Intuit Logo here)

Hello,

In our continuing effort to guarantee that correct information is being sustained on our systems, and to be able to grant you better quality of service; INTUIT INC. has participated in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that we have on your account is different from the information provided by the SSA.

In order to review the information on your account, please enter the site.

Best regards,

INTUIT INC.
Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

The real Intuit is warning users not to click on any links in the e-mail and to forward the message to This e-mail address is being protected from spambots. You need JavaScript enabled to view it. .

All well and good, but now we come to the part where the cure may be worse than the disease: As reported by the InfoSecurity web site, the spoof site to which users are directed is in itself a site infected with the BlackHole exploit toolkit.

An exploit is a tool or script used by hackers to attack a computer system by exploiting either the weaknesses in the software application or a weakness in the network.

According to InfoSecurity, the BlackHole exploit toolkit looks for a previous exploit that has not been fixed or patched and inserts its own code and, like a heat-seeking missile, looks for banking information -- which, on a computer system with QuickBooks in residence, shouldn't be too hard for the program to find.

InfoSecurity reports the BlackHole toolkit was selling in 2010 for $1,500 for a one-year license or $200 for a one-week license. However, last year some sites were giving it away.

It is estimated that Quickbooks has well over 3 million users and counts among its clients more than 80 percent of all small businesses using software-accounting programs. Obviously, that is an extremely attractive target for criminals.

But why would anyone give away software like the BlackHole exploit toolkit?

I think part of the problem is many people still have some misguided, romantic notion that these criminals are different -- "Robin Hoods," perhaps -- than the kind of thief who robs people at gunpoint. They are not. They are one and the same. The only difference is cybercriminals can be more dangerous.