Sophisticated Email Scam UPDATE

Please read this entire email so you understand why I sent it to you.

I recently received an email with the following From address: "Intuit E-Commerce Service" <quickbooks@notification.intuit.com>

The email Subject was "Invoice SN-8646 from GEEKSQUAD", so unless Intuit just bought BestBuy, it was obviously a scam email. Normally I would have just deleted it, but what concerned me was that the From email address was 100% valid. Looking at the From address is the first and most common thing people do to determine if an email is bogus, and I had never seen one that was actually correct. And when I looked at  the message source it actually looks like it is from "@notification.intuit.com".

I saw a reply to a post with a similar issue where you just told them to delete it and sent a list of valid Norton email addresses. In this case the From address could have easily been a valid Norton address. So the solution I am looking for is to know HOW they got the email address in the message to look valid when it was not ? Email message source is attached.

Thanks

Domain spoofing is possible because Simple Mail Transfer Protocol (SMTP) does not verify that a message was actually sent from the address that is entered in the "From" field.  There are some new ways to authenticate the origin of the message, but not all companies use them.

Legitimate Domain Spoofing

The simplest form of the technique is legitimate domain spoofing. This involves inserting the domain of the organization being spoofed into the From header, making it extremely difficult for the user to distinguish a fake email from a real one.

To combat spoofing, several mail authentication methods have been created that enhance and complement each other: SPF, DKIM and DMARC. By various means, these mechanisms verify that the message was actually sent from the stated address.

  • The SPF (Sender Policy Framework) standard allows a mail domain owner to restrict the set of IP addresses that can send messages from this domain, and lets the mail server check that the sender’s IP address is authorized by the domain owner. However, SPF checks not the From header, but the sender’s domain specified in the SMTP envelope, which is used to transmit information about the email’s route between the mail client and the server, and is not shown to the recipient.
  • DKIM solves the problem of sender authentication by means of a digital signature generated on the basis of a private key stored on the sender’s server. The public key for authenticating the signature is placed on the DNS server responsible for the sender’s domain. If in reality the message was sent from a different domain, the signature will be invalid. However, this technology has a weakness: an attacker can send a fake email without a DKIM signature, and the message will be impossible to authenticate.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) is used to check the domain in the From header against a DKIM/SPF-validated domain. With DMARC, a message with a spoofed legitimate domain fails authentication. However, if the policy is strict, DMARC can also block wanted emails (see here for how our solutions augment this technology and minimize false positives).

Naturally, with the widespread implementation of the above-described technologies, attackers faced a tough choice: to hope that the company they are impersonating did not configure mail authentication properly (still common, sadly), or to use From-header spoofing methods that bypass authentication.

 https://securelist.com/email-spoofing-types/102703/#legitimate-domain-spoofing

Having no idea how they might have done this I can only say that this does sound very scary to me if they can spoof a legitimate email address like this from a well known company.

I guess your common sense took over and you knew it was a scam since something didn't seem right. Therefore we all must use our own intuition and brains to sense what the email is all about. Looking at the email address in and of itself is no longer sufficient to determine it's legitimacy. 

Thank you for posting. 

It is a valid email address, according to Intuit. That said, I would also not open it if you don't recognize what it could be about.  Intuit has a place to report these.

https://security.intuit.com/contact-us

You can also contact their support team, who can verify the authenticity.

https://quickbooks.intuit.com/learn-support/en-us/employees-and-payroll/re-i-have-been-getting-suspicious-emails-claiming-to-be-from/01/1123046/highlight/true#M97851

 

quickbooks@notification.intuit.com  - We use this email for approval, user ID, and password reset info from Intuit’s secure network.

 https://quickbooks.intuit.com/learn-support/en-us/help-article/data-security/official-email-communication-intuit-payments/L1nPm9JA1_US_en_US

How did you verify that @notification.intuit.com is valid? Adding that 'notification.' to intuit.com would be easy for a scammer. For the Norton scam emails there is a published list of valid Norton emails.  Is this email from Norton legitimate?

Do you use Quickbooks?  You can always contact Intuit's support to ask if the email address is legit.