If you’ve ever run a small business, or done any accounting, you’re probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.
Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.
Yep, you read that right. They distribute computer viruses.
Oh, not on purpose, I’m sure. They simply appear to run Web sites whose Webmasters don’t really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.
Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.
Now, to be fair, it’s not actually their main site that has the problem, at least not that I’ve seen so far. Instead, they run many “community” sites, and on some of these sites they appear to have a…relaxed approach to security and best practices.
*** WARNING *** WARNING *** WARNING ***
The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don’t know what you’re doing!
While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property,
This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.
Which is, when you get right down to it, a recipe for disaster.
Anyway, the
A smattering of these profiles includes:
Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I’ve written about before.
The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as
which offers free porn if you download a movie-player codec…which is, of course, a virus. (No free porn for YOU!)
Unsurprisingly, the payload site
In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.
The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as
The third is that the phony profile pages are pulling images from various real porn sites. For example,
is grabbing a picture from
When I go to my taxes next year, I don’t think I’ll use Intuit.