A friend received a spam email from quickbooks@notification.intuit.com

Intuit is a real company, and intuit.com is their real domain. Looking online, a number of people received this scam email a few months ago, and then again over the last week.

If you came across this post from Google, this is why it reeks of a scam email:

  • 12 of other email addresses are listed in the to and cc fields
  • it says that a subscription is set to renew, “$399.99 will soon be taken out of your account” and that it will happen within the “next 24 hours”. Classic sense of urgency
  • It includes an 888 phone number that does not come up as any legitimate number, and it includes a PDF which my friend did not download in case it is malicious

Does this mean that Intuit lost control of that subdomain, or is there another way that someone might be spoofing it? I can have my friend check any other metadata if it would be helpful.


If you came here from Google, welcome to the Fediverse :)

  • colournoun@beehaw.org
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    4 hours ago

    Very similar to if you were to send a traditional paper letter in an envelope with a stamp, and put an incorrect return address on it. You could even make it look exactly like something the real company would have sent. There is no validation of the return address. If the recipient were to respond to the return address, it would expose the ruse. The scam is that the contents of the letter have further instructions that lead to the scam.

    Another complication is that the From address in internet email contains an address part and a description part. The address part is what is actually used to route the email, and the description part can be anything, including something that looks like an email address that doesn’t match the one in the address part. Most email clients only show the description part and hide the address part.

    For example:

    From: “Bob Smith” <[email protected]>

    From: “[email protected]” <[email protected]>

    From: “Do not reply” <[email protected]>

    From: “[email protected]” <[email protected]>

    Edit: formatting

  • groet@feddit.org
    link
    fedilink
    English
    arrow-up
    25
    ·
    edit-2
    7 hours ago

    E-Mail is old. So old that when it was invented, “hacking” and “security” was not really something anybody thought about.

    To send an email you connect to the recipients mail server and type in all the data of the mail. Including recipient, subject, mail body and importantly the address displayed in the “from” and “reply to” fields. They are all defined by the sender. The Email protocol has no way to verify if this information is correct and the sender is actually part of the aledged domain.

    Today, when you send a mail, most of the time you will not connect to the recipient mail server directly, but to a “sending” mail server, which then sends the mail to the recipient. For example if you log in to gmail, you write the mail on a google Mailserver which sends it to the recipient. Or you connect to your companies exchange through outlook.

    There is a modern extension to the mail protocol, which allows a domain owner to define the sending mail server which is allowed to send mails on behalf of this domain. But it is in the responsibility of the receiver to check. (Its called sender policy framework SPF)

    So most likely intuit didn’t do anything and the scamer just send mail without a sending mail server. And your receiving mail server did not verify the SPF correctly. Or intuit did not define an SPF. Or they did but it allows sources that do actually not belong to intuit but might be controllable by the scammers. This can happen if they want to send mails from cloud hostet systems and include them in their SPF, which may include systems by other customers of the cloud hoster.

    If you want to verify mail yourself, look in the mail headers (often called: view source) and look at the “received” headers. They deta the full path the mail has taken including which system initially wrote the mail. They are ordered bottom to top, so the (chronologically) first entry is the lowest. Check if the ip adress/hostnames for the first few hops belong to intuit and if they don’t, its most likely spam.

    TLDR: what is necessary to send mails from somebody else’s domain? Nothing. You can just do that. Mail is insecure by design and should be abolished.

    • hendrik@palaver.p3x.de
      link
      fedilink
      arrow-up
      4
      ·
      4 hours ago

      Very good answer. It’s really complicated since it’s an old protocol and lots of different mechanisms have been added on top. I found one small error: You can’t rely on the “received” headers either. Just the line from your mailserver and the IP and hostname right before. The rest of the path (before) can be fake, too. (And this regularly happens.)

    • hddsx@lemmy.ca
      link
      fedilink
      arrow-up
      8
      ·
      5 hours ago

      Even if you do have DKIM, DMARC, and SPF someone can still spoof your domain and the admin will still get an email about it. After that, instructions are unclear since the receiving domain is rejecting it properly.

      Ask me how I know

      • hendrik@palaver.p3x.de
        link
        fedilink
        arrow-up
        2
        ·
        4 hours ago

        Yeah, it has to be both sides cooperating. You can set a recommendation what to do with mails that failed the checks. Including dropping the mail altogether. But it’s open to the receiver to honor that request, or not do any checks at all.

    • FigMcLargeHuge@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      7 hours ago

      What this person said… I keep telling my dad over and over that I can literally send him an email and say I am anyone and it will show up in his email box. I feel like the urge to make everything “user friendly” has put us in this situation. The mail headers are so hidden now, it’s almost a chore to find them in most email programs, which is unfortunate.

  • smegger
    link
    fedilink
    arrow-up
    7
    ·
    8 hours ago

    They use spoofing. Apparently incorrectly secured stuff can allow it. The security guys at work were talking about this kind of thing the other week. I don’t fully understand it myself but this website discusses it. https://abnormalsecurity.com/glossary/dmarc