Intuit "Payroll Processing Request" Malware Email

"Payroll processing" emails purporting to be from financial software provider Intuit, claim that are large amount of money is about to be withdrawn from the recipient's bank account to cover employee paychecks. The recipient is invited to click a link in the message to download payroll details.

The email is not from Intuit and the claims in the message are untrue. Those who fall for the ruse and follow links in the email will be taken to a website that harbours information stealing malware.

The emails are not from Intuit. In fact, the emails are designed to trick recipients into downloading malware to their computers. The criminals responsible for the scam hope that recipients, panicked into believing that several thousand dollars is set to be withdrawn from their bank accounts, will click the link in the message without due forethought. Clicking links in the messages, will actually take victims to a compromised website that harbours malware. The victim is taken to a site that supposedly contains more information about the payroll withdrawal and then asked to wait until the page fully loads. However, the page then automatically redirects to other sites where trojans and other types of malware may be downloaded to the visitor's computer.

Once installed, this malware can change computer settings, steal sensitive information stored on the computer and connect to remote servers.

Example mail:
---------------------------------------------------------------------------------------------------------------------------------

From: Intuit Payment Network
Subject: We have received your payroll processing request.
Direct Deposit Service Communication
Information Only

Dear [email address removed]

We obtained your payroll on June 16, 2014 at 3:25 AM Pacific Time.

Funds will be withdrawn from the bank account number ending in: XXXX on June 17, 2014.
Amount to be withdrawn: $7,956.50
Paychecks will be transferred to your employees' accounts on: June 17, 2014
Please download your payroll here.
Funds are as a rule withdrawn before normal banking hours so please make sure you have enough funds available by 12 a.m. on the date funds are to be withdrawn.

Intuit must obtain your payroll by 5 p.m. Pacific time, two banking days before your paycheck date or your employees will fail to be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be accessed at the Federal Reserve website.

Thank you for your business.

Sincerely,
Intuit Payroll Services
---------------------------------------------------------------------------------------------------------------------------------
How to protect yourself from a phishing attack:

1. If you suspect you have received a phishing email from Intuit, please forward it immediately to spoof@intuit.com. Intuit will look into each reported instance.
2. Make sure you subscribe to an anti-virus software and keep it up-to-date.
3. Make sure you have updated your web browser to one that includes anti-phishing security features, such as Internet Explorer 7 or Firefox version 3 or higher.
4. Make sure that you keep up to date on the latest releases and patches for your operating systems and critical programs. These releases are frequently security related.
5. Do not open up an attachment that claims to be a software update. We will not send any software updates via email.
6. Do not respond to emails asking for account, password, banking, or credit card information.
7. Do not respond to text messages or voicemails that ask you to call a number and enter your account number and pin.
8. Make sure you have passwords on your computer and your payroll files.

Three common methods that phishers use in their emails:

1. Spoofed email address.
Don't reply to unsolicited email and don't open email attachments. It's easy to fake a From or Reply To address, either manually or with spam software, so never assume an email is real by looking at its header. You might be able to spot fake addresses by checking for domain name misspellings, but this isn't foolproof. Some email service providers combat the problem of spoofed addresses by using authentication techniques to verify a sender's integrity.

2. Fake link. 

When in doubt, never click on a link in an unsolicited or suspicious email. Scam emails can contain a hidden link to a site that asks you to enter your log on and account information. A clue: if the email threatens you with account closure if you don't log on soon, you could be the target of phishing. You may be able to tell if a link is real by moving your mouse over it and looking at the bottom of your browser to see the hidden Web address - it will look different than the one you see on the surface.

3. Forged Website. 

If you must visit a financial site, like your bank or credit card company, enter its known address into the browser location field manually. Use a browser with an anti-phishing plug-in or extension, like FireFox version 3 or higher or Internet Explorer 7. These browsers warn you about forged, high-risk sites. Phony Web sites mimic real sites by copying company logos, images, and site designs. Malicious webmasters can also use HTML, Flash or Java Script to mask or change a browser address.

Visit security.intuit.com to get the most up to date information about phishing.