SophosLabs has seen a large number of emails purporting to be from Intuit, the company that makes QuickBooks bookkeeping software.
Sophos anti-spam products have been detecting and blocking these messages for quite some time, but the messages are so convincing that our own customers have been reporting the blocks to us as false-positives!
The spam reads:
Good afternoon,Intuit have posted a warning to their security center advising customers that this may be a phishing attack, unfortunately it is a lot worse than that.
With intent to guarantee that accurate information is being maintained on our systems, as well as to improve the quality of service we can provide to you; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.
For some reason your name and/or Taxpayer Identification Number, that is specified on your account is different from the information obtained from the IRS.
In order to check and correct the information on your account, please use the following link.
2632 Marine Way
Mountain View, CA 94043
Sophos endpoint customers are protected from Blackhole redirects as Mal/JSRedir-H and if they are running endpoint web filtering they will also be blocked from accessing the URLs by Mal/HTMLGen-A.
Depending on which browser and plugins you may be running the Blackhole exploit kit can exploit the vulnerable ones and deliver a malicious payload, many times fake anti-virus (scareware).
To learn more about the Blackhole exploit kit, download the Sophos Security Threat Report 2012 and listen to this podcast where Paul Ducklin and I discuss the Blackhole exploit kit.