Dangerous IRS Spam Run in Circulation

By on February 16th, 2011 11:59 GMT

Security researchers from email security provider AppRiver warn of a new IRS-themed spam campaigns which takes advantage of the tax filing period to distribute a variant of the infamous ZeuS banking trojan.

The rogue emails bear a subject of "Your Federal Tax Payment Notice sn#######" (where # is a digit) and have forged headers to appear as they originate from an IRS address.

The message within advises recipients that their tax return filing was rejected by the Electronic Federal Tax Payment System (EFTPS) and asks them to correct the error.

"Urgent Report! Your Federal Tax Payment ID: ########## has been rejected. Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.

"Please, check the attached information and refer to Code R21 to get details about your company payment in transaction contacts section," the message reads.

The attached file is called IRS-TAX-Notification-printing-form-SN########.zip and contains a variant of the ZeuS crimware that has a very low detection rate on Virus Total.

It's pretty clear from the message that whoever is behind this spam run is targeting companies and ZeuS has a long track record of helping fraudsters steal money from organizations.

According to AppRiver security researcher Troy Gill, the fake emails are not only well crafted, but also very well timed.

"Every individual claiming certain deductions and using tax software to e-file their return would have had their tax return held by the tax preparation company [...] until Feb. 14th, then sent automatically [...].

"Most of these individuals would have received an email yesterday stating that their tax return has been 'sent' to the IRS and that they would receive another email confirmation once the return had been 'accepted'," the security expert explains.

Of course, these emails should come from the tax preparation company and not from the IRS. In addition, this "code R21" trick has been used in malware distribution campaigns so hopefully some people are already aware of it.

Comments