Each day we review Today's Top Threats for the Malcovery "T3" report. Quite a few of them have imitated tax related issues, from the Internal Revenue Service (IRS) themselves, to Intuit, the makers of the popular TurboTax software, to assorted warnings that problems have occurred with your filing.
Here are a few of my recent favorites:
Feb 12, 2013: IRS
Our email subjects for this campaign sounded serious:
count | subject
-------+------------------------------------------------------------------------------------------
446 | surcharge for delay of tax return filling
381 | forfeiture for delay of tax return filling
363 | forfeit for delay of tax return filling
361 | pecuniary penalty for delay of tax return filling
350 | fine for delay of tax return filling
315 | penalty for delay of tax return filling
124 | Income Tax Refund TURNED DOWN
108 | Income Tax Refund NOT ACCEPTED
94 | Income Tax Refund NOT APPROVED
90 | Income Tax Refund RETURNED
87 | Income Tax Refund CANCELED
74 | Income Tax Refund REJECTED
In this case there were at least 59 hacked websites that were advertised in the spam messages. Here are some of the top ones:
count | machine | path |
519 | www.buyonlineclothing.com | //wp-content/themes/mantra/uploads/rjtd_irs.html |
361 | www.stuterisb.se | /wp-content/uploads/fgallery/irs_rjtr.html |
313 | www.michaeldauphinais.com | //wp-content/themes/mantra/uploads/rjtd_irs.html |
200 | trademarksprotected.com | //wp-content/themes/mantra/uploads/irs_rjtr.html |
100 | www.cowcomco.com | //wp-content/themes/mantra/uploads/rjtd_irs.html |
88 | www.hugoflores.net | //wp-content/themes/mantra/uploads/rjtd_irs.html |
79 | www.dvla-plates.com | //wp-content/themes/mantra/uploads/rjtra_irs.html |
77 | energeticfitness.com | /wp-content/plugins/mm-forms-community/upload/temp/irs_rjtra.html |
66 | www.electronicsreviewers.com | //wp-content/themes/mantra/uploads/rjtra_irs.html |
64 | www.newhavenfreestore.com | /wp-content/plugins/mm-forms-community/upload/temp/irs_rjtr.html |
63 | www.ordinarycoder.com | //wp-content/themes/trulyminimal/includes/framework/plugins/rjtra_irs.html |
62 | www.100daystochangemylife.com | //wp-content/themes/mantra/uploads/rjtd_irs.html |
56 | cliptogive.com | /wp//wp-content/themes/mantra/uploads/rjtd_irs.html |
53 | www.jimhyland.com | //wp-content/themes/mantra/uploads/rjtra_irs.html |
51 | www.nicejordans23.com | /Jordanblog//wp-content/themes/mantra/uploads/rjtd_irs.html |
41 | futurizekorea.com | //wp-content/themes/mantra/uploads/irs_rjtr.html |
38 | www.misslulublogs.com | //wp-content/themes/trulyminimal/includes/framework/plugins/irs_rjtr.html |
37 | notfatnow.com | /irs_rjtr.html |
35 | swanirubber.com | /Blog//wp-content/themes/mantra/uploads/rjtra_irs.html |
34 | troutkinglures.com | /store-front//wp-content/themes/mantra/uploads/rjtra_irs.html |
34 | www.amir-jafari.com | //wp-content/themes/mantra/uploads/rjtd_irs.html |
32 | www.hungergamesreporter.com | //wp-content/themes/mantra/uploads/irs_rjtra.html |
28 | www.nolahelper.com | //wp-content/themes/mantra/uploads/irs_rjtr.html |
28 | jyaproductora.com | //wp-content/themes/mantra/uploads/irs_rjtr.html |
22 | www.shuckabuck.com | //wp-content/themes/mantra/uploads/irs_rjtr.html |
22 | www.mamanbandante.com | //wp-content/themes/mantra/uploads/irs_rjtr.html |
21 | stjudeintercession.com | /prayer/wp-content/plugins/mm-forms-community/upload/temp/rjtra_irs.html |
Feb 14, 2013: TurboTax
In this campaign, the spammers hope we will believe that TurboTax is informing us that our "State Tax Return" has been rejected. In reality the "please find information attached" is a zip file with a randomly named file name (tax_RANDNUMBERS.zip). The zip file (MD5 = '44e31cab12de506e9b7e9df3c4414cef') is quite widely detected now, but that was not the case on the day of the campaign.
Mar 13, 2013: Intuit
The poor English in the subject on this spam message: "Payroll Account Holded by Intuit" may have helped prevent victimization.
But there were still 146 hacked websites that were each being used to redirect traffic to the Black Hole Exploit server. Despite the fact that this spam campaign is now six days old, many of these links are still active. A link followed this morning (March 19, 2013) redirects to the website "heelicotper.ru" on the path "forum/links/column.php". This domain resolves to 89.110.131.10, 132.230.75.95, 188.165.202.204, and 50.22.0.2. Even six days after the attack, several of the links sent in the original spam message are still functional, and will stop drop malware from the exploit server. (This morning we got a file that renamed itself to KB01148523.exe, which disguises itself as an "Advanced display adapter" driver update, claiming to be by "Microsoft Corporation". The file has the MD5 8fe6968cab2b12ae486628c1a07cb86. How do you detect which machines in your network might be infected, since the detection rate (currently 9 of 46 at VirusTotal) means that AVG, Avast, F-Prot, Microsoft, Symantec, Sophos, and Trend Micro would not detect this malware. We recommend looking for the BEHAVIOR of this malware in your network or web proxy logs. If someone visited one of the sites below, or more importantly, visited the site they redirect to - heelicotper.ru - then that machine needs to be examined and remediated.
19 | www.mysteam.ru | /report.htm 19 | z-la.ru | /report.htm 12 | www.sellpei.com | /report.htm 11 | cs.4id.lv | /report.htm 11 | elyospride.snl.su | /report.htm 11 | pokemons.ru | /report.htm 10 | forum.parkourfamilygomel.com | /report.htm 9 | www.talkgolf.org | /report.htm 9 | cs.ittf.com.ua | /report.htm 9 | renaults.net | /report.htm 9 | www.netmfdevices.com | /report.htm 9 | bin-cs.ru | /report.htm 8 | forum.diavolo-rp.ru | /report.htm 8 | deltanineairsoft.com | /report.htm 8 | forum.s1mpluworld.ru | /report.htm 8 | onlyfan.ru | /report.htm 8 | www.j-hero.com | /report.htm 8 | fr.underworld.alwaysdata.net | /report.htm 8 | forum.muapocalypse.ru | /report.htm 8 | mv-forum.free-h.net | /report.htm 7 | forum.gornofwar.ru | /report.htm 7 | skibukovel.ru | /report.htm 7 | stargate-radio.com | /report.htm 7 | forumgg.xost.me | /report.htm 7 | gartepiopv2.altervista.org | /report.htm 7 | evostrike.ro | /report.htm 7 | reprobatessouthwest.co.uk | /report.htm 7 | halo117.com | /report.htm 7 | www.vfpr.ru | /report.htm 7 | www.uobview.com | /report.htm 7 | orioncraft.ru | /report.htm 7 | www.firearmschat.com | /report.htm 7 | konsolowisko.pl | /report.htm 6 | scorpions-wot.tk | /report.htm 6 | www.ultravioletphotography.com | /report.htm 6 | la2nebesa.ru | /report.htm 6 | shieldandsword.ru | /report.htm 6 | accademiaminer.altervista.org | /report.htm 6 | xn--l1adgmc.xn--80ahx8f.xn--e1apq.xn--p1ai | /report.htm 6 | isage.nes.org.sg | /report.htm 6 | veni_vidi_vici.byethost14.com | /report.htm 6 | h2hproject.in | /report.htm 6 | chronic.bplaced.net | /report.htm 6 | forum.xboxarea.com | /report.htm 6 | zabijamy.pl | /report.htm 6 | forum.patriots-cs.ru | /report.htm 6 | forum.myaion.su | /report.htm 6 | kpoxi.ru | /report.htm 6 | www.maxhimitalo.com | /report.htm 6 | elitegamer.ru | /report.htm 6 | turbotamil.org | /report.htm 6 | forum.classicgunz.com | /report.htm 6 | forum.mineclub.org | /report.htm 5 | sinto-online.ru | /report.htm 5 | forum.mccxcix.com | /report.htm 5 | fast-break.org | /report.htm 5 | ps-elumination.com | /report.htm 5 | www.survival-soundz.com | /report.htm 5 | forum.gtr-site.info | /report.htm 5 | poker-hunter.ru | /report.htm 5 | forum.vtex.com.br | /report.htm 5 | forumkulturystyka.com | /report.htm 5 | cs.justbe.pro | /report.htm 5 | 20h27.com | /report.htm 5 | wowfatalityforum.byethost16.com | /report.htm 5 | ptw.lv | /report.htm 5 | l2javelline.ru | /report.htm 5 | darkube.net | /report.htm 5 | wdhe.ru | /report.htm 5 | chatpat.org | /report.htm 5 | www.medics-corpsmen.com | /report.htm 5 | kompstart40.ru | /report.htm 5 | allstudents.net.ru | /report.htm 5 | forum.darkube.net | /report.htm 5 | cs-gold.net | /report.htm 5 | snails-city.ru | /report.htm 5 | azcsforums.com | /report.htm 5 | nightcore.pl | /report.htm 5 | necroz-team.ru | /report.htm 4 | s13club.ru | /report.htm 4 | code-projects.com | /report.htm 4 | lamanserlo.com | /report.htm 4 | zym-server.ru | /report.htm 4 | forum.g-o-d.ru | /report.htm 4 | tagyl.web-planet.cz | /report.htm 4 | gpro.ro | /report.htm 4 | dev.diypedia.ro | /report.htm 4 | playsense.ru | /report.htm 4 | plastidipforum.ru | /report.htm 4 | forum.gzone.info | /report.htm 4 | ots.hmhost.pl | /report.htm 4 | wsat.kz | /report.htm 4 | www.medforum.md | /report.htm 4 | forum.anivisions.ru | /report.htm 4 | forum.mafiacrafting.ru | /report.htm 4 | www.cso-original.ru | /report.htm 4 | xn--80adfeab9argno2mtb.xn--p1ai | /report.htm 4 | www.adminwebmaster.com | /report.htm 4 | corp.spinco.info | /report.htm 4 | fot-cs.p.ht | /report.htm 4 | forums.deimoscorp.eu | /report.htm 4 | homou.org | /report.htm 4 | www.foxiran.com | /report.htm 4 | starkmuebles.com | /report.htm 4 | myforester.ru | /report.htm 4 | kolosov89.tmweb.ru | /report.htm 4 | forum.nephridie.com | /report.htm 4 | forums.agueraton.net | /report.htm 4 | yachtdream.ru | /report.htm 3 | www.e-treedental.com | /report.htm 3 | www.team-increment.com | /report.htm 3 | forum.hansen-ro.com | /report.htm 3 | www.modernmetal.pl | /report.htm 3 | s382436236.websitehome.co.uk | /report.htm 3 | forum.pandaro.ru | /report.htm 3 | spokupki.org | /report.htm 3 | forum.myevoque.ru | /report.htm 3 | sochaczew24h.pl | /report.htm 3 | iiibforever.altervista.org | /report.htm 3 | soft-droid.ru | /report.htm 3 | extradrive.ru | /report.htm 3 | www.lendagames.com | /report.htm 3 | forum.waytotruth.in.ua | /report.htm 3 | www.sosaria.com.br | /report.htm 3 | forum.aion-lightning.su | /report.htm 3 | forum.samp-ml.ru | /report.htm 3 | vipshara.net | /report.htm 3 | art-tm.net | /report.htm 3 | wst-team.ru | /report.htm 3 | driftnsk.ru | /report.htm 2 | ingameclan.myarena.ru | /report.htm 2 | www.fifa-online.pl | /report.htm 2 | angel-css.ru | /report.htm 2 | www.club2108.com | /report.htm 2 | ostrza.arieth.com | /report.htm 2 | www.coachownersclub.com | /report.htm 2 | abt.id.lv | /report.htm 2 | foro.ateneahost.com | /report.htm 2 | hohyunworld.com | /report.htm 2 | www.piratas4x4.com | /report.htm 2 | evgamer.com | /report.htm 1 | e-war.ws | /report.htm 1 | resist.kiev.ua | /report.htm 1 | reamhosting.com | /report.htm 1 | www.sandsofdestiny.net | /report.htm
Mar 13, 2013: EFTPS
Last for now, the spam claiming to be from "The Electronic Federal Tax Payment System" (EFTPS) had a different subject for every email, based on a random number stuck in the subject line. "Tax Payment N (RANDOM NUMBER HERE) is failed."
Seventy-eight hacked websites were used by this one to redirect visitors to a Black Hole Exploit Server . . . Just like above, the "loading.htm" pages will redirect to a Black Hole Exploit server, that will drop malware onto your computer.
count | machine | path -------+---------------------------------------------+-------------- 32 | forum.myfaberlic.com.ua | /loading.htm 26 | forum.garudaflyff.web.id | /loading.htm 25 | talk.altrock.us | /loading.htm 24 | l2-fallenlords.16mb.com | /loading.htm 23 | forum.rus-hw.ru | /loading.htm 23 | forum.gorod4217.ru | /loading.htm 23 | forums.farahfa.com | /loading.htm 22 | www.forum.deutschland1.ru | /loading.htm 21 | forum.mumonster.com.br | /loading.htm 20 | forum.xorezm.com | /loading.htm 20 | forum.esthus.ru | /loading.htm 20 | la2reckless.16mb.com | /loading.htm 20 | xn----7sbbhei2a7a0ag3e5ehq.xn--p1ai | /loading.htm 19 | forum.vp-css.ru | /loading.htm 19 | forum.sg-wars.com | /loading.htm 19 | la2.under.net.ua | /loading.htm 19 | ambition-bs.bplaced.net | /loading.htm 19 | forum.tiki-online.com | /loading.htm 18 | forum.lin2hero.ru | /loading.htm 18 | forum.bfkc.ru | /loading.htm 18 | cs.franyk.net | /loading.htm 18 | xn--90aefd3alei2i.xn--p1ai | /loading.htm 18 | forum.gr-trophy.ru | /loading.htm 18 | www.rteam.vinfo.fr.nf | /loading.htm 17 | forum.universe-life.ru | /loading.htm 17 | forum.oxuyun.com | /loading.htm 17 | forum.gaming-pro.net.ua | /loading.htm 16 | forum.fnatic.w2c.ru | /loading.htm 16 | forum.mineiros.pt | /loading.htm 16 | xn--l1adgmc.xn--90aicihxbb.xn--p1ai | /loading.htm 16 | forum.autoelectric33.ru | /loading.htm 16 | xbox.pp.ua | /loading.htm 15 | forum.pvp-extreme.ru | /loading.htm 15 | t4-11.mo3gov.net | /loading.htm 15 | forum.100portal.pl | /loading.htm 15 | foro.soranime.net | /loading.htm 15 | info-games.16mb.com | /loading.htm 15 | forum.arva-online.ru | /loading.htm 15 | piton.webuda.com | /loading.htm 15 | forums.egkrinkel.com | /loading.htm 15 | habboinfo.free-h.net | /loading.htm 15 | time-is-now.w2c.ru | /loading.htm 14 | theconfederatestates.net | /loading.htm 14 | forums.bluwavevirtual.org | /loading.htm 14 | forum.thehosthouse.co.uk | /loading.htm 14 | notched.16mb.com | /loading.htm 14 | talk.yumyumpers.ru | /loading.htm 14 | old.zagloba.me | /loading.htm 14 | forum.muzolandia.pl | /loading.htm 14 | ff.xokkeist.ru | /loading.htm 14 | nightcor.cluster015.ovh.net | /loading.htm 14 | rich-rpg.tw1.ru | /loading.htm 13 | forum.prb-fight.dp.ua | /loading.htm 13 | forum.cs-play.org | /loading.htm 13 | letsfiestar.com | /loading.htm 13 | 6.hamming.z8.ru | /loading.htm 13 | forum.l2-virus.net | /loading.htm 13 | elixrr.org | /loading.htm 13 | easy-host.tw1.ru | /loading.htm 13 | forum.mostpeople.ru | /loading.htm 13 | forum.skygsm.com | /loading.htm 13 | forum.wildspirit.su | /loading.htm 12 | forum.gamer-p.ru | /loading.htm 12 | www.forum.redknife-tm.ru | /loading.htm 12 | www.yozzteam.ru | /loading.htm 12 | 90218.d33a.web.hosting-test.net | /loading.htm 12 | forum.illusionsplay.com | /loading.htm 12 | rrp.ct8.pl | /loading.htm 12 | just-craft.vv.si | /loading.htm 12 | minecraft.fatalforces.com | /loading.htm 11 | forum.filix.ru | /loading.htm 11 | www.forum-csc.pp.ua | /loading.htm 11 | forums.consortiumguild.com | /loading.htm 10 | forum.aresus.ru | /loading.htm 10 | data-direction.hu | /loading.htm 9 | forum.dota-info.ru.yellow.intobservatory.ru | /loading.htm 8 | forum.lordsofeurope.ru | /loading.htm 7 | volyn.bplaced.net | /loading.htm (78 rows)