At Softpedia we read: A new spam campaign leveraging Intuit brand name has been spotted to deliver messages with CryptoWall malware attached claiming to be the copy of a remittance file.
The message comes with the subject “Payroll Received by Intuit” and informs that the payment proof has been attached, inciting users to open it.
The item in the attachment is a ZIP archive, which contains an executable with the name “Remittance.exe.” Conrad Longmore from Dynamo’s Blog uploaded the file to VirusTotal service where the detection rate was 9/53.
Further investigation, which led to an analysis from Threat Track, revealed that the malware sample was actually a variant of CryptoWall ransomware, which, once infecting a computer system, proceeds to encrypt specific file types, including DOC, XLS, and TXT, videos and images.
CryptoWall is known to be distributed via spam email, and it is believed that it was released around April this year as part of an exploit kit called RIG. At first, the prevalent attack vector were advertisments served on numerous websites.
The spam message caught by Longmore appears to be very elaborate, providing instructions with a deadline and using a language that would incite potential victims to check the matter in detail.
___________________
Payroll Received by Intuit – fake PDF malware
From the U.K. we read @ My Online Security we read: Payroll Received by Intuit pretending to come from Intuit Payroll Services <IntuitPayrollServices@payrollservices.intuit.com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Dear, derekWe received your payroll on August 01, 2014 at 09:00 AM EST.
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.Thank you for your business.Sincerely,Intuit Payroll ServicesIMPORTANT NOTICE: This notification is being sent to inform you of a critical matter concerning your current service, software, or billing. Please note that if you previously opted out of receiving marketing materials from Intuit, you may continue to receive notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to immediately to spoof@intuit.com.© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or registered service marks of Intuit Inc. in the United States and other countries. All other marks are the property of their respective owners, should be treated as such, and may be registered in various jurisdictions.Intuit Inc. Customer Communications 2800 E. Commerce Center Place, Tucson, AZ 85706
1 August 2014: Remittance.zip (10kb): Extracts to Remittance.scr Current Virus total detections: 5/52 MALWR Auto Analysis:
This Payroll Received by Intuit is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.