Franklin Veaux (tacit) wrote,
Franklin Veaux
tacit

  • Mood:

Computer security? Best practice? yeah, those are things we've heard of.

If you've ever run a small business, or done any accounting, you're probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.

Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.

Yep, you read that right. They distribute computer viruses.

Oh, not on purpose, I'm sure. They simply appear to run Web sites whose Webmasters don't really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.

Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.

Now, to be fair, it's not actually their main site that has the problem, at least not that I've seen so far. Instead, they run many "community" sites, and on some of these sites they appear to have a...relaxed approach to security and best practices.

*** WARNING *** WARNING *** WARNING ***
The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don't know what you're doing!

While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property, community.quickbooks.co.uk. Now, I see these spam posts all the time, usually made from machines in Eastern Europe and usualy pointing to sites that try to download the Asprox or Zlob malware.

This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.

Which is, when you get right down to it, a recipe for disaster.

Anyway, the community.quickbooks.co.uk Web site is currently home to a large number of fake, automatically-generated profiles which redirect through a series of intermediates to malware sites that use a cocktail of browser exploits and social engineering tricks to try to slip malware onto visitors' computers.

A smattering of these profiles includes:

http://community.quickbooks.co.uk/discussion/index.php?showuser=57944

http://community.quickbooks.co.uk/discussion/index.php?showuser=58063

http://community.quickbooks.co.uk/discussion/index.php?showuser=58395

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I've written about before.

The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as

http://stereotube.net/xfreeporn.php?id=45035

which offers free porn if you download a movie-player codec...which is, of course, a virus. (No free porn for YOU!)

Unsurprisingly, the payload site stereotube.net is registered with bogus information belonging to an identity theft victim; also unsurprisingly, it's hosted on black-hat Web hosting company Calpop, a California Web host that has a long and ignoble history of knowingly hosing malware sites for Russian organized crime, as I've mentioned before.

In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.

The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as http://tinyurl.com/25avirua rather than relying 100% on their own redirector network (the TinyURL address redirects to a more conventional traffic redirector at http://arhetector.com/in.cgi?3¶meter=25aug, hosted by Worldstream.nl, which itself redirects to one of several sites such as stereotube.net or to http://tinyurl.com/stereotubeonline-boom-03, which redirects to http://stereotubeonline.com/xplays.php?id=48034 also hosted by Calpop.

The third is that the phony profile pages are pulling images from various real porn sites. For example,

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

is grabbing a picture from http://www.pink4free.com/blogs/wp-content/uploads/Pink4Free/Cecash/BigTits/AllFreePorn.gif. The Web site pink4free.com used to run a WordPress blog--it appears to be defunct now--but that Wordpress blog still has an open image directory, and it contains advertising banners that the Russian hackers are drawing from in a bid to make the redirectors look more convincing.

When I go to my taxes next year, I don't think I'll use Intuit.
Tags: computer security, computer viruses
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 8 comments