Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    TrendLabs researchers have discovered a number of bogus Internal Revenue Service (IRS) Web sites containing links to a host of malicious .EXE files. These bogus Web sites try to appeal to the attention of business managers and accountants to click on the links supposedly pertaining to information on the latest updates on corporate tax laws.

    Also, it appears that some of the domains associated with sites hosting these pages may be sitting on Storm botnet fast-flux nodes, so the “back-end” host IP addresses change often. This may be an extension of other phishing and malware activities recently suspected of being hosted in the Storm botnet.

    Here’s a screenshot of one of the fake Web sites:

    {IRS fake Web site}

    Clicking on any of these links leads users to download files with such names as:

    • ALL_TAXPAYERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
    • TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
    • ESTATE_AND_TRUST_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
    • EXCISE_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
    • EXEMPT_ORG_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
    • FOREIGN_ISSUES_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
    • INDIVIDUALS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
    • IRA_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE

    According to Senior Threat Analyst Joey Costoya, these are the same files but with different file names, all of which are detected by Trend Micro as BKDR_ASPROX.B.

    On the bright side of things, the bogus domains are actively being blocked by Trend Micro products and are no longer accessible to Trend Micro customers.

    IRS seems to be a frequent target of malicious users, and we actively engage investigators from the U.S. Treasury Department when these issues arise.

    Last November, two separate email runs were found to use the name of the IRS: the first solicited donations for victims of the California wildfire, while the second promised users a tax refund and contained a link that pointed to a phony IRS site, which phished for user’s credentials.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice