Wednesday, October 14, 2009

IRS Zeus via Geocities

After a couple days with no "IRS Zeus" spam, the flow of spam messages has restarted. The new spam messages are exactly like the ones we've been seeing since September 9th, with one very significant difference:


Subject: Notice of Underreported Income


Taxpayer ID: e0cdd8db-00000684284766US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: e0cdd8db-00000684284766US

Internal Revenue Service


Two changes are that my email address is no longer part of the "taxpayer id", nor is it part of the URL to which the spam directs me.

When I followed the link in the most recent spam message, I "eventually" end up on the website:

http://www.irs.gov.nerrasssb.co.uk/fraud_application/directory/statement.php?tid=target-00000169290787US

however, that URL is *NOT* what is present in the email message!

http://geocities.com/AnnabelleRichardson78/yredaxubu.htm
http://geocities.com/AshleyWyatt42/ohulociqam.htm
http://geocities.com/AustinHobbs20/nulaxubumul.htm
http://geocities.com/AveryGoodwin43/ihociqamy.htm
http://geocities.com/bcwowpuyne/yredaxubu.htm
http://geocities.com/BillSantos33/nulaxubumu.htm
http://geocities.com/BriannaHensley06/yredax.htm
http://geocities.com/DamienMorris57/apegapyzap.htm
http://geocities.com/ddfsteyxbext/alynahej.htm
http://geocities.com/DevinSnyder65/ikahejov.htm
http://geocities.com/EdwinRandall53/nulaxubumul.htm
http://geocities.com/EltonLawson02/uwalajahe.htm
http://geocities.com/foayoqetpxe/nulaxu.htm
http://geocities.com/FreddyCampbell36/ohuloc.htm
http://geocities.com/hshybmbcg/alynah.htm
http://geocities.com/KirbyRaymond27/ociqam.htm
http://geocities.com/kktpxdqnhb/ulociqamy.htm
http://geocities.com/kmbxpkrkpe/byhegap.htm
http://geocities.com/ktywgegrcudf/byhegapy.htm
http://geocities.com/LiliaMathews67/yredaxubu.htm
http://geocities.com/MarionHudson45/nulaxu.htm
http://geocities.com/MasonSalinas48/rociqamynah.htm
http://geocities.com/MiguelPatterson69/ohuloci.htm
http://geocities.com/MilesFlowers05/alynah.htm
http://geocities.com/msxpytqms/apegapyz.htm
http://geocities.com/MurrayWaters50/byhegapy.htm
http://geocities.com/nmxtumdrfrff/alynah.htm
http://geocities.com/npxqrwxww/apegapyz.htm
http://geocities.com/ocaxbasohmgo36/hiqamyna.htm
http://geocities.com/rhauwqyee/nulaxubumul.htm
http://geocities.com/RobinWhitley59/byhegapy.htm
http://geocities.com/RussChandler61/yredax.htm
http://geocities.com/sfgesqfhrtrx/yredaxubu.htm
http://geocities.com/ShirleyTrevino49/bumulociqa.htm
http://geocities.com/TanyaWeber50/nulaxubumu.htm
http://geocities.com/TiffanyKirby11/yredaxubumu.htm
http://geocities.com/TyreeOsborne93/byhegapyz.htm
http://geocities.com/ufxesabsq/apegap.htm
http://geocities.com/WadeJoyce45/mulociqam.htm
http://geocities.com/yoqrawycf/yredaxubumu.htm
http://geocities.com/zgdgesbnw/ynahejoveke.htm
http://geocities.comgeoffreyPowell47/yredaxubum.htm

Of course none of these URLs actually is the final destination.

The current malware is

File size: 89600 bytes
MD5...: d62e9d994d587e94e04ad3f75ff14f69

you can see a VirusTotal report which shows a 6 of 41 detection rate. Only six anti-virus products out of 41 currently know that this is malware.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.