Email Virus Alert: Intuit "Quickbooks Update" Links to Malicious Zip File

Watch out for email claiming to be from Intuit / Quickbooks with a link to a zip file. The subject lines vary, but most or all of the messages mention "updating the browsers we support". These are very difficult to block 100% at first. Although a few got through our filters, we were fully blocking this dangerous campaign within about 5 minutes.

About this Scam

Here's what one of these emails looks like:

Email Virus Claiming to Be From Intuit Quickbooks for a Browser Update

Email claiming to be from Intuit has a link to a dangerous zip file

In many cases, our proprietary filters and database of spam profiles are ready to block tomorrow's spam today. Although a few of these emails got through, we began fully blocking the campaign globally within about 5 minutes.

Spammy IPs and Blacklisting

This campaign came from a variety of servers. Some of the IPs were already on our blacklist. Others weren't, but we didn't add all of them to the blacklist. That's because we don't automatically block email from a server just because it has sent spam.

Many antispam providers use aggressive blacklisting and encourage the use of Real-Time Blacklists (RBLs) to try and improve upon their downstream heuristics. However, that can greatly increase false positives from campaigns like this that may be coming from servers that are just temporarily or unintentionally abused. Those servers can remain on RBLs and manually-configured IP blacklists for a long time after being disinfected, which can happen in a matter of hours or days. Then, legitimate email sent from them will be blocked.

We take a different approach. Because our other spam filters are so accurate, we don't need to rely as heavily on IP blacklisting. We only blacklist servers that we know are owned by spammers and will never send legitimate email. As a result, our blacklist produces almost no false positives.

Many Subject Lines

This type of campaign can be difficult to block fully immediately. For one, the template generating the emails uses a variety of phrases in the subject line, such as:

  • INTUIT Browsers Update
  • Intuit QuickBooks Online: Browser Update
  • INTUIT QuickBooks Security Warning
  • INTUIT Security Warning
  • INTUIT QB: attention
  • INTUIT Important Notification

Watch out for email with the same or similar subject lines Our threat analysts have blocked this campaign, in part, by creating several filters that pick up on not only the variations, but also what's common among the emails. That requires some sophisticated regular expressions, but doing so completely blocks what that template is generating.

Table Image

Take a close look at the zoomed-in image below. The Quickbooks logo in the email is made from coloring the cells of an HTML table, rather than linking to an image. (I hovered over one of the rows in my browser's inspector to highlight it). We're not sure exactly why the spammer did this. It does not appear to be obfuscating any text (which was done elsewhere, see below). It might be a new technique to avoid spam filters.

Fake Intuit Quickbooks Email

The logo is made from coloring the cells of an HTML table

Failed SPF

It's easy to "spoof" an email to make it look like it came from a legitimate domain (e.g., "@intuit.com"). To combat spoofing, many spam filters let you block or just tag messages that fail an "SPF" check, which determines if the email originated from a server authorized to send it.

However, some companies send newsletters, invoices and other non-spam bulk email from servers they don't list as authorized in the Domain Name System (DNS) records, the source used for SPF checking. So, blocking email that merely fails an SPF check can produce false positives (legitimate email blocked) and force people to spend more time searching for missing email in their quarantine, which is full of spam.

To protect against spoofing and reduce false positives, we provide SPF checking, but recommend that users merely tag email that fails the check (instead of blocking it outright), add a warning like '[Forged Sender]" to the subject line, and then continue filtering. If such email makes it through the rest of our spam filters, it is unlikely to be spam, but the subject line warns recipients to use caution without making them wade through a sea of dangerous spam to look for things like newsletters and invoices.

Poor Grammar

While at first the email looks authentic, reading it reveals some poor grammar, an obvious sign of spam that is better detected by a human (like one of our threat analysts) than an algorithm.

Malicious Link

The link in the email (see the image below) would try to download a malicious file on what is probably a hacked server.

Relying on installed antivirus software to protect you from threats like this is risky. Cloud spam filtering like SpamStopsHere can react much faster. A few hours after this campaign hit, only a few antivirus programs were detecting the file as a threat. Two days later, less than 60% were. SpamStopsHere was blocking this campaign globally for our customers within about 5 minutes.

See how your antivirus software is doing,

Fake Intuit Quickbooks Email Links to Virus

Malicious link in the Intuit Browser Update email (partially obscured as a precaution)

Obfuscated Text

At least some of the emails include what we call "obfuscated text" to hide trigger words and phrases from spam filters. In this case, the word "Quickbooks" almost appears normal, but the HTML code in the email is:

<span style="letter-spacing: -1px">Qu<small>I</small>ckBooks.</span>

The spammer has tried to do two things here to get past spam filters.

  • The html "span" tags break up the word Quickbooks. A filter looking for that trigger word might miss it, and it would look like "QuickBooks" to the human eye.
  • The "i" is uppercase but smaller. If a local IT admin has added the word "QuickBooks" as a trigger word, then "QuIckBooks" might go undetected and would also not be noticed by some readers.

We defeat attempts like that to hide spam in several ways:

  • We strip out the html code and other tricks typically used to obfuscate text and run the normalized message through our URL/Phone and Phrase filters.
  • Also, the original message is run through our Pattern filter to see if it includes html and other obfuscations (among other typical tricks).
Spammer trick to hide trigger word

Spammer tried to hide a typical trigger word with an upper-case letter in the middle

How to Protect Against These Scams

No spam filter is perfect. Even the best ones will let through some spam. So, the first rule is never click a link or download an attachment in an email. If you receive one like this with an urgent message and you want to check your account with the company it looks like it came from, simply type the URL you already know in to your browser's window and proceed from there.

Read about more common-sense ways to supplement your spam filter here.

Pay for Premium Spam Filtering

Spam appears to be going through a big change. We are generally seeing less spam than in the past, however, what's left has become more sophisticated, more difficult to detect and thus more dangerous. Even so, many spam filters are still based on an unpredictable filtering technique called "Bayesian Heuristics" and are mostly automated. Purely automated systems like that simply cannot detect this type of scam quickly enough. Some still rely on end users to update their filter rules and constantly monitor for new campaigns.

SpamStopsHere works differently. For one, it does not rely on Bayesian filtering. Instead, our proprietary filters are each designed to block spam based on specific criteria and are sequenced in an optimal order for efficiency. Most importantly, we have a team of professional threat analysts who work 24/7/365 manually reviewing suspicious email and updating our filter database every two minutes. Even spam campaigns that are difficult to detect are blocked very quickly, and virus spam on day zero, faster than other Cloud systems and much faster than installed antivirus software.

See how SpamStopsHere beats Heuristic Filtering

About SpamStopsHere

SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.

If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Click here for more about SpamStopsHere and our 24/7/365 live support

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.