About this Scam
Here's what one of these emails looks like:
In many cases, our proprietary filters and database of spam profiles are ready to block tomorrow's spam today. Although a few of these emails got through, we began fully blocking the campaign globally within about 5 minutes.
Spammy IPs and Blacklisting
This campaign came from a variety of servers. Some of the IPs were already on our blacklist. Others weren't, but we didn't add all of them to the blacklist. That's because we don't automatically block email from a server just because it has sent spam.
Many antispam providers use aggressive blacklisting and encourage the use of Real-Time Blacklists (RBLs) to try and improve upon their downstream heuristics. However, that can greatly increase false positives from campaigns like this that may be coming from servers that are just temporarily or unintentionally abused. Those servers can remain on RBLs and manually-configured IP blacklists for a long time after being disinfected, which can happen in a matter of hours or days. Then, legitimate email sent from them will be blocked.
We take a different approach. Because our other spam filters are so accurate, we don't need to rely as heavily on IP blacklisting. We only blacklist servers that we know are owned by spammers and will never send legitimate email. As a result, our blacklist produces almost no false positives.
Many Subject Lines
This type of campaign can be difficult to block fully immediately. For one, the template generating the emails uses a variety of phrases in the subject line, such as:
- INTUIT Browsers Update
- Intuit QuickBooks Online: Browser Update
- INTUIT QuickBooks Security Warning
- INTUIT Security Warning
- INTUIT QB: attention
- INTUIT Important Notification
Watch out for email with the same or similar subject lines Our threat analysts have blocked this campaign, in part, by creating several filters that pick up on not only the variations, but also what's common among the emails. That requires some sophisticated regular expressions, but doing so completely blocks what that template is generating.
Take a close look at the zoomed-in image below. The Quickbooks logo in the email is made from coloring the cells of an HTML table, rather than linking to an image. (I hovered over one of the rows in my browser's inspector to highlight it). We're not sure exactly why the spammer did this. It does not appear to be obfuscating any text (which was done elsewhere, see below). It might be a new technique to avoid spam filters.
It's easy to "spoof" an email to make it look like it came from a legitimate domain (e.g., "@intuit.com"). To combat spoofing, many spam filters let you block or just tag messages that fail an "SPF" check, which determines if the email originated from a server authorized to send it.
However, some companies send newsletters, invoices and other non-spam bulk email from servers they don't list as authorized in the Domain Name System (DNS) records, the source used for SPF checking. So, blocking email that merely fails an SPF check can produce false positives (legitimate email blocked) and force people to spend more time searching for missing email in their quarantine, which is full of spam.
To protect against spoofing and reduce false positives, we provide SPF checking, but recommend that users merely tag email that fails the check (instead of blocking it outright), add a warning like '[Forged Sender]" to the subject line, and then continue filtering. If such email makes it through the rest of our spam filters, it is unlikely to be spam, but the subject line warns recipients to use caution without making them wade through a sea of dangerous spam to look for things like newsletters and invoices.
While at first the email looks authentic, reading it reveals some poor grammar, an obvious sign of spam that is better detected by a human (like one of our threat analysts) than an algorithm.
The link in the email (see the image below) would try to download a malicious file on what is probably a hacked server.
Relying on installed antivirus software to protect you from threats like this is risky. Cloud spam filtering like SpamStopsHere can react much faster. A few hours after this campaign hit, only a few antivirus programs were detecting the file as a threat. Two days later, less than 60% were. SpamStopsHere was blocking this campaign globally for our customers within about 5 minutes.
At least some of the emails include what we call "obfuscated text" to hide trigger words and phrases from spam filters. In this case, the word "Quickbooks" almost appears normal, but the HTML code in the email is:
<span style="letter-spacing: -1px">Qu<small>I</small>ckBooks.</span>
The spammer has tried to do two things here to get past spam filters.
- The html "span" tags break up the word Quickbooks. A filter looking for that trigger word might miss it, and it would look like "QuickBooks" to the human eye.
- The "i" is uppercase but smaller. If a local IT admin has added the word "QuickBooks" as a trigger word, then "QuIckBooks" might go undetected and would also not be noticed by some readers.
We defeat attempts like that to hide spam in several ways:
- We strip out the html code and other tricks typically used to obfuscate text and run the normalized message through our URL/Phone and Phrase filters.
- Also, the original message is run through our Pattern filter to see if it includes html and other obfuscations (among other typical tricks).
How to Protect Against These Scams
No spam filter is perfect.
Even the best ones will let through some spam.
So, the first rule is
Pay for Premium Spam Filtering
Spam appears to be going through a big change. We are generally seeing less spam than in the past, however, what's left has become more sophisticated, more difficult to detect and thus more dangerous. Even so, many spam filters are still based on an unpredictable filtering technique called "Bayesian Heuristics" and are mostly automated. Purely automated systems like that simply cannot detect this type of scam quickly enough. Some still rely on end users to update their filter rules and constantly monitor for new campaigns.
SpamStopsHere works differently. For one, it does not rely on Bayesian filtering. Instead, our proprietary filters are each designed to block spam based on specific criteria and are sequenced in an optimal order for efficiency. Most importantly, we have a team of professional threat analysts who work 24/7/365 manually reviewing suspicious email and updating our filter database every two minutes. Even spam campaigns that are difficult to detect are blocked very quickly, and virus spam on day zero, faster than other Cloud systems and much faster than installed antivirus software.
SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.
If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.
Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.