If you’ve ever run a small business, or done any accounting, you’re probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.
Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.
Yep, you read that right. They distribute computer viruses.
Oh, not on purpose, I’m sure. They simply appear to run Web sites whose Webmasters don’t really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.
Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.
Now, to be fair, it’s not actually their main site that has the problem, at least not that I’ve seen so far. Instead, they run many “community” sites, and on some of these sites they appear to have a…relaxed approach to security and best practices.
*** WARNING *** WARNING *** WARNING ***
The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don’t know what you’re doing!
While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property,
This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.
Which is, when you get right down to it, a recipe for disaster.
Anyway, the
A smattering of these profiles includes:
Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I’ve written about before.
The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as
which offers free porn if you download a movie-player codec…which is, of course, a virus. (No free porn for YOU!)
Unsurprisingly, the payload site
In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.
The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as
The third is that the phony profile pages are pulling images from various real porn sites. For example,
is grabbing a picture from
When I go to my taxes next year, I don’t think I’ll use Intuit.
Intuit has to be the single most customer hostile corporation in existence. Sadly too many people believe there is no alternative. If you didn’t hear about their little 2008 episode of accidentally wiping people’s desktop directory – twice, ask me, I’l tell yah
I found it rather charming the way them made me keep getting new versions of Quicken (each worse than the last) every two years to keep electronic bill pay working. Then they discontinued the “Basic” version that was already full of a pile of stuff I had no interest in.
Mint.com was sounding like they were becoming the best alternative, but Quicken just bought them out.
By all accounts, MS Money is just as bad. Last I checked, both it and Quicken had solid two-star Amazon average reviews.
Check out Moneyworks, http://www.cognito.co.nz/
Intuit has to be the single most customer hostile corporation in existence. Sadly too many people believe there is no alternative. If you didn’t hear about their little 2008 episode of accidentally wiping people’s desktop directory – twice, ask me, I’l tell yah
I used to own a small business. In 2001 I bought Quickbooks Point of Sales which at that time allowed you to bank with Wells Fargo which was my business bank. In 2003 I think it was, they set up their OWN bank w/higher credit card processing rates and tried to highjack me! I didn’t want to have to buy another POS system, those things are expensive so I figured out a rather laborious work-around in the software I had. But that experience convinced me — Intuit is a shark, and I will never, ever pay for their software again.
I used to own a small business. In 2001 I bought Quickbooks Point of Sales which at that time allowed you to bank with Wells Fargo which was my business bank. In 2003 I think it was, they set up their OWN bank w/higher credit card processing rates and tried to highjack me! I didn’t want to have to buy another POS system, those things are expensive so I figured out a rather laborious work-around in the software I had. But that experience convinced me — Intuit is a shark, and I will never, ever pay for their software again.
I found it rather charming the way them made me keep getting new versions of Quicken (each worse than the last) every two years to keep electronic bill pay working. Then they discontinued the “Basic” version that was already full of a pile of stuff I had no interest in.
Mint.com was sounding like they were becoming the best alternative, but Quicken just bought them out.
By all accounts, MS Money is just as bad. Last I checked, both it and Quicken had solid two-star Amazon average reviews.
Check out Moneyworks, http://www.cognito.co.nz/
Re: Update from Intuit
Well, here we are more than a month from your reply, and community.quickbooks.co.uk is STILL hosting redirectors to computer viruses. It STILL is not following basic, beginner’s best practices for security, it STILL allows HTML and JavaScript in user-supplied data, it STILL doesn’t sanitize user input, it STILL allows bots to create user profiles, and virus links are still active.
and, as of this evening, about 122 more.
Each of these redirectors has the Intuit logo prominently displayed on it; each goes to computer viruses advertised as hard-core porn movie player software or to search sites that provide lists of phony Internet drug pharmacies.
Interesting that you claim to have expected the site to be down in a week, yet it’s still up and still redirecting visitors to malware.
Re: Update from Intuit
Well, here we are more than a month from your reply, and community.quickbooks.co.uk is STILL hosting redirectors to computer viruses. It STILL is not following basic, beginner’s best practices for security, it STILL allows HTML and JavaScript in user-supplied data, it STILL doesn’t sanitize user input, it STILL allows bots to create user profiles, and virus links are still active.
and, as of this evening, about 122 more.
Each of these redirectors has the Intuit logo prominently displayed on it; each goes to computer viruses advertised as hard-core porn movie player software or to search sites that provide lists of phony Internet drug pharmacies.
Interesting that you claim to have expected the site to be down in a week, yet it’s still up and still redirecting visitors to malware.
Scrubbing the board
Thanks for following up. The board’s been scrubbed and the spammer(s) has/have been removed. The domains and IP addresses are being watched or banned. This is in addition to a more significant clean up we conducted before the holidays.
Again, we appreciate your help.
Geoff
Scrubbing the board
Thanks for following up. The board’s been scrubbed and the spammer(s) has/have been removed. The domains and IP addresses are being watched or banned. This is in addition to a more significant clean up we conducted before the holidays.
Again, we appreciate your help.
Geoff
Re: More photos
I use Lightroom, with the HighSlide Gallery Pro web template fromhttp://theturninggate.net/
Re: More photos
I use Lightroom, with the HighSlide Gallery Pro web template fromhttp://theturninggate.net/