Friday, January 11, 2008

New IRS Virus page taxes users

A phishing site hosts fraudulent bank pages, and an IRS look-alike virus

A new round of spam, first noticed on January 8th, has been observed by anti-phishing researchers at the University of Alabama at Birmingham. In many ways the spam is typical phishing emails, trying to trick users into visiting a fraudulent website. This family of emails uses the domains listed below to host several different phishing campaigns, each in a different subdirectory. For example:

/_mem_bin/formslogin.asp = Intelligent Finance
/default.aspx = NatWest Bank
/confirm.asp = Royal Bank of Scotland

But in addition to the traditional phishing, or bank fraud websites, which try to steal userids and passwords for online banking accounts, this spam campaign also includes a fake Internal Revenue Service website - and it isn't asking for your password!

/importantpubs/index.htm = Internal Revenue Service

After giving a warning to "Business/Corporate Treasury Managers and Accountants", the fraudulent IRS website claims to have "important recent changes to business and corporate tax laws".




Each of the links which claim to be a new document with important tax information actually is a link to a virus! With file names like:

ALL_TAXPAYERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
ESTATE_AND_TRUST_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
EXCISE_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
EXEMPT_ORG_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
FOREIGN_ISSUES_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
INDIVIDUALS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
IRA_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE

the virus attempts to trick users into opening the file. If successful, the user will think he is getting information to share his taxes with the IRS, but actually the user will begin to share their information with criminals instead!

Some of the domains hosting this virus so far:

New Sites
jan77.net
aut33.com
pid28.com
com61.net
inf32.net
sid24.net
chcpi.com
chk08.net
dll57.com
idp56.us
user94.net
Older sites
ssl--jan08.com
ssl--site.com
ssl-jan08site.com
url-sslsite.com
update-ssl.com
url-ssl.com
confirm--07jan.com
6jan-update.in
securesafesite.net
myupdatesite.net
comssl.net
secure--confirm.net
06jan--confirm.net
7jan--verify.net

REMEMBER! The IRS is not going to send you an email to warn you about new documents or ask you to login. Several major anti-virus products do not yet detect this virus! Be safe! Do not click on links sent to you in email. If you need new tax documents, visit the real website at: http://www.irs.gov/.



As we have seen in so much recent malware, the websites are being rotated to include hosting on many servers. Here are the sites which are serving the malware according to our most recent query, but there may be many many more.


83.9.136.40 - Warsaw, Poland
77.253.113.235 - Warsaw, Poland
24.93.127.106 - Columbus, Ohio
69.201.136.16 - New York, New York
128.118.145.125 - Penn State University
87.209.100.8 - Amsterdam, the Netherlands
144.162.93.16 - Dallas County Community College
80.85.229.201 - Tarnow, Poland

_-_
gary warner
http://www.cis.uab.edu/forensics/

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.