:eek: As Tax preparation season is in full swing in the USA, attacks continue to surface. Sunbelt reports a highly convincing targeted attack, that was made to one of their key financial contacts. The IRS, government agencies, and banks do not use email as a primary method of contact, and when messages are received please avoid selecting any links or attachments. When in doubt on any email message, please contact the originating party by phone.
QUOTE: This afternoon, we got a highly customized email purporting to come from the IRS, which of course, does nothing more than load malware. The email is made out to a key financial contact here at Sunbelt.
Once clicked, the.scr file downloads several other files and reaches out to several servers including the "Office of the Attorney General - California Department of Justice" - where a PDF file is downloaded from and opened using your default PDF viewer. The entire purpose of this PDF is to make things look official. Otherwise, it’s meaningless, and does not appear to be malicious.
Then, anumber of other URLs are contacted to download malware, and the user is left with keylogger on their system. It also appears that malware is downloaded from a number of compromised sites.
The Internet Storm Center team also shares more information:
EMAIL FORMAT USED: Dear [Name of Executive] I am sorry but in order for [Name of Firm] to get a tax refund, all the fields must be completed. Please complete the missing fields on the attached form and re-send it to me.
nicely adorned with bells & whistles to make it look like it really comes from the IRS. Another series uses the old "A tax complaint has been filed against you" line, which probably is less likely to get the Execs to click. But who doesn't want a refund ...