I love it when crooks make simple mistakes that cost them. Look at the following email message claiming to come from Intuit (the accounting and tax return software company):

From: INTUIT INC.
Subject: Your tax information needs verification.

Dear Account Holder,

In order to guarantee that correct data is being maintained on our systems, as well as to provide you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have discovered, that your name and/or Employer Identification Number, that is indicated on your account does not correspond to the data obtained from the IRS and/or SSA.

In order to check and update your account, please click here.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Is this a phishing expedition or a malware lure? It's hard to tell because the doofus failed to set up the botnet spam sender to fill in the actual link. Here's the source code:

<a href="http://{int_link}">click here</a>

The {int_link} text is a placeholder for the actual link to be inserted. My gut feeling is that this template is supposed to be used to lure recipients to a hijacked web site for malware delivery. That's just my, um, intuition based on years of reading this crap.

Anyway, don't be surprised to see a subsequent blast with this social engineering trick — don't want to screw around with tax stuff, right? — but with the link "fixed."

Update (26Jan2012, 1800 PST): He's been going at it now for over six hours and still no change in the URL. He must be scratching his head over why he has zero responses (my favorite number). Here are variations in the Subject: line I've seen personally:

• We need your tax information ASAP.
• Your tax information needs verification.
• Urgent update of tax information is requested.
• Verify the correctness of your tax information.
• Tax Information needed urgently.
• Please update your tax information promptly.
• Verify your information for INTUIT INC..

Message bodies also vary a little, but the basic intention is the same.

Somewhere along mid-run, the idiot figured out how to include the actual image binary data for the Intuit logo header at the top of the message. But he still can't figure out the active link stuff. He must have burned through at least a hundred bucks of botnet time with no chance of payback. I'm doing the Snoopy happy dance.

The latest in the malware lure campaign invokes the mighty piracy-fighting lawyers at Microsoft. In the email, the recipient is essentially accused of using pirated MS products, and he/she had better click the link to register a PC and avoid court. What a bunch of bullshit.

Here's the message:

Subject: Microsoft legal department

We've been tracking the illegally installed versions of our products for a long time, we've recently won tht claim in International Court, and we were alloud to request from the providers personal details of persons using the illegally installed versions of Microsoft products. We've decided to solve this problem avoiding court. After you follow this link, we register your PC as a legal one, thereby you avoid the judicial issues concerning presumably illegally instaled software on your PC.
With Respect To You
Emeline Welsh

SHA2 check sum: c084bfe116bfe1169dc08e16923723a5a5728e11169dcccccc08e6b572849237

How 'bout the typos and use of the non-word "alloud"? Hmmm, not what I'd expect from Microsoft's lawyers. Tee hee.

As a million times before, the link leads to a hijacked web site, where a page of obfuscated JavaScript can lead a user of an unprotected PC down the path of screwdom.

Some believed that the "Think Different" ad campaign of Apple was grammatically incorrect. Not so. But here's a scam email that is way too incorrect:

Subject: Brand new iPhone 5 design

We are pleased to introduce you a piece of future. Take a look at the new iPhone's design here.

[35 line breaks omitted]

Copyright © 2012 Apple Inc. All rights reserved.

The link, of course, is not to any genuine Apple site (although the freshly-minted domain has "iphone5" in its name). It downloads a Windows executable...which is a piece alright, but not a piece of future.

Bank of America is frequently abused by crooks who try to gain a level of credibility in perpetrating their scams. The following is a slight variation on a frequent 419 (advance-fee) scam:

Subject: NOTIFICATION OF CREDIT FROM BANK OF AMERICA

NOTIFICATION OF CREDIT FROM BANK OF AMERICA.

Attn: Beneficiary,

We received a payment credit instruction from the Federal Government of Nigeria to credit your account with your full Inheritance fund of US$10.3Million from the Nigerian reserve account with our bank, Bank of America on 23rd of December, 2011.

However, you shall required to provide the followings data’s below:

{1}. Your Full Name and Address.
{2}. Your Confidential Tel, Cell and Fax.
{3). Your Bank name and address.
{4). Your A/c Name and A/c Numbers.:
(5). Your Swift Code / Routing Numbers.

Please do provide the above information accurately, because this office cannot afford to be held liable for any wrong transfer of funds or liability of funds credited into a ghost account.

Thanks for banking with Bank of America while we looking forward to serving you with the best of our service.


Thanks and God bless you.

Regards,

I omitted the full signature section because it's where the fun really begins:

So, I'm supposed to believe that Ben Bernanke is an account office at the Athens, GA branch of BofA, while also being Chairman of the Federal Reserve Bank of New York. Notice, however, that this is Ben M. Bernanke. The middle initial of the real Ben Bernanke is S. He's also the Chairman of the whole Federal Reserve. And something tells me that Ben S and Ben M are not identical twins with only distinguishing middle names.

Anyone who takes this email as genuine and responds needs some adult supervision. Seriously.

I'm kind of left speechless by this amateurish attempt to get unsuspecting recipients to click their way to PC infection:

Subject: Your order for chopper for the weekend

Your order for our air commuter services has been taken and processed. The rotorcraft will be at your disposal from 16.45 saturday to 7.30 p.m. wednesday. Once again, the rates are as follows:
1 hour in the air: 525$
Takeoff / Landing: 254$
1 hour standstill on the ground: 78$
Longest period in the air is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost consequently increases by 120$ per hour.

Tital to pay.doc 406kb
Best wishes
Trey Toney

Secure Checksum: 5a572849d084b57dccc03af4bf49

Clearly written by a non-U.S., English-as-a-third-language crook. Like so many of these messages, the link isn't to an attached document, but rather to a hijacked web site, where obfuscated JavaScript takes over.