Log in

No account? Create an account

Previous Entry | Next Entry

If you've ever run a small business, or done any accounting, you're probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.

Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.

Yep, you read that right. They distribute computer viruses.

Oh, not on purpose, I'm sure. They simply appear to run Web sites whose Webmasters don't really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.

Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.

Now, to be fair, it's not actually their main site that has the problem, at least not that I've seen so far. Instead, they run many "community" sites, and on some of these sites they appear to have a...relaxed approach to security and best practices.

The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don't know what you're doing!

While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property, community.quickbooks.co.uk. Now, I see these spam posts all the time, usually made from machines in Eastern Europe and usualy pointing to sites that try to download the Asprox or Zlob malware.

This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.

Which is, when you get right down to it, a recipe for disaster.

Anyway, the community.quickbooks.co.uk Web site is currently home to a large number of fake, automatically-generated profiles which redirect through a series of intermediates to malware sites that use a cocktail of browser exploits and social engineering tricks to try to slip malware onto visitors' computers.

A smattering of these profiles includes:





Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I've written about before.

The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as


which offers free porn if you download a movie-player codec...which is, of course, a virus. (No free porn for YOU!)

Unsurprisingly, the payload site stereotube.net is registered with bogus information belonging to an identity theft victim; also unsurprisingly, it's hosted on black-hat Web hosting company Calpop, a California Web host that has a long and ignoble history of knowingly hosing malware sites for Russian organized crime, as I've mentioned before.

In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.

The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as http://tinyurl.com/25avirua rather than relying 100% on their own redirector network (the TinyURL address redirects to a more conventional traffic redirector at http://arhetector.com/in.cgi?3¶meter=25aug, hosted by Worldstream.nl, which itself redirects to one of several sites such as stereotube.net or to http://tinyurl.com/stereotubeonline-boom-03, which redirects to http://stereotubeonline.com/xplays.php?id=48034 also hosted by Calpop.

The third is that the phony profile pages are pulling images from various real porn sites. For example,


is grabbing a picture from http://www.pink4free.com/blogs/wp-content/uploads/Pink4Free/Cecash/BigTits/AllFreePorn.gif. The Web site pink4free.com used to run a WordPress blog--it appears to be defunct now--but that Wordpress blog still has an open image directory, and it contains advertising banners that the Russian hackers are drawing from in a bid to make the redirectors look more convincing.

When I go to my taxes next year, I don't think I'll use Intuit.


( 8 comments — Leave a comment )
Dec. 21st, 2009 02:37 am (UTC)
Intuit has to be the single most customer hostile corporation in existence. Sadly too many people believe there is no alternative. If you didn't hear about their little 2008 episode of accidentally wiping people's desktop directory - twice, ask me, I'l tell yah
Dec. 21st, 2009 05:42 pm (UTC)
I found it rather charming the way them made me keep getting new versions of Quicken (each worse than the last) every two years to keep electronic bill pay working. Then they discontinued the "Basic" version that was already full of a pile of stuff I had no interest in.

Mint.com was sounding like they were becoming the best alternative, but Quicken just bought them out.

By all accounts, MS Money is just as bad. Last I checked, both it and Quicken had solid two-star Amazon average reviews.
Dec. 21st, 2009 07:44 pm (UTC)
Check out Moneyworks, http://www.cognito.co.nz/
Dec. 21st, 2009 12:15 pm (UTC)
I used to own a small business. In 2001 I bought Quickbooks Point of Sales which at that time allowed you to bank with Wells Fargo which was my business bank. In 2003 I think it was, they set up their OWN bank w/higher credit card processing rates and tried to highjack me! I didn't want to have to buy another POS system, those things are expensive so I figured out a rather laborious work-around in the software I had. But that experience convinced me -- Intuit is a shark, and I will never, ever pay for their software again.
Dec. 22nd, 2009 03:08 am (UTC)
KicksNike1.com offer original nike air max (http://www.kicksnike1.com/) shoes at cheap price retail 24hours,we also accespt air max shoes wholsele and dropship.It is a place where you can buy cheapest original air max sneakers.
Dec. 22nd, 2009 11:34 pm (UTC)
Update from Intuit
Geoff here; I work for Intuit, the company that ran the board you referenced. Thank you for raising this problem. We have acted to correct this.
Of note, the site you reference is an old community site, hosted by a third-party vendor. We migrated our QuickBooks customers some time ago to new user forums located at http://community.intuit.com/quickbooks/uk and http://community.intuit.com/quickbooks/canada. We are in the process of pulling the old site down and expect it to be gone before the week’s end.
For the record, all of our internal Intuit sites are certified by TRUSTe. You’ll see a logo and link in the bottom right of the page.
Thanks again for raising this and for the opportunity to reply
Jan. 26th, 2010 09:30 am (UTC)
Re: Update from Intuit
Well, here we are more than a month from your reply, and community.quickbooks.co.uk is STILL hosting redirectors to computer viruses. It STILL is not following basic, beginner's best practices for security, it STILL allows HTML and JavaScript in user-supplied data, it STILL doesn't sanitize user input, it STILL allows bots to create user profiles, and virus links are still active.




and, as of this evening, about 122 more.

Each of these redirectors has the Intuit logo prominently displayed on it; each goes to computer viruses advertised as hard-core porn movie player software or to search sites that provide lists of phony Internet drug pharmacies.

Interesting that you claim to have expected the site to be down in a week, yet it's still up and still redirecting visitors to malware.
Jan. 27th, 2010 01:46 pm (UTC)
Scrubbing the board
Thanks for following up. The board’s been scrubbed and the spammer(s) has/have been removed. The domains and IP addresses are being watched or banned. This is in addition to a more significant clean up we conducted before the holidays.

Again, we appreciate your help.

( 8 comments — Leave a comment )