TrendLabs researchers have discovered a number of bogus Internal Revenue Service (IRS) Web sites containing links to a host of malicious .EXE files. These bogus Web sites try to appeal to the attention of business managers and accountants to click on the links supposedly pertaining to information on the latest updates on corporate tax laws.
Also, it appears that some of the domains associated with sites hosting these pages may be sitting on Storm botnet fast-flux nodes, so the “back-end” host IP addresses change often. This may be an extension of other phishing and malware activities recently suspected of being hosted in the Storm botnet.
Here’s a screenshot of one of the fake Web sites:
Clicking on any of these links leads users to download files with such names as:
According to Senior Threat Analyst Joey Costoya, these are the same files but with different file names, all of which are detected by Trend Micro as BKDR_ASPROX.B.
On the bright side of things, the bogus domains are actively being blocked by Trend Micro products and are no longer accessible to Trend Micro customers.
IRS seems to be a frequent target of malicious users, and we actively engage investigators from the U.S. Treasury Department when these issues arise.
Last November, two separate email runs were found to use the name of the IRS: the first solicited donations for victims of the California wildfire, while the second promised users a tax refund and contained a link that pointed to a phony IRS site, which phished for user’s credentials.