Users get directed to a malware-serving website

Sep 10, 2009 14:29 GMT  ·  By

Security researchers warn that fake email messages purporting to be from the IRS are attempting to get receivers infected by directing them to a malicious website. This malware distribution campaign has been tracked back to the Cutwail spam botnet.

This new scam has been reported by email and Web protection company MX Logic, which is currently in the process of being acquired by security giant McAfee. "Over the past 3 hours we have been watching approximately 90,000 of these messages hitting our systems per hour," the company's spam analysts warn.

The emails attempt to scare users into visiting a malicious link by falsely informing them that they misreported their income to the IRS. "Issue: Unreported/Underreported Income (Fraud Application). Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below)," the messages, claiming to originate from [email protected], read.

Clicking on the URL opens a Web page bearing the IRS logo, which contains another link to a file called tax_statement.exe. Downloading and opening the executable will install malware on the computer. Cutwail, also known as Pushdo, is currently one of the largest spam-sending botnets in the world, being responsible for a big percentage of the daily junk mail traffic.

The botnet was crippled back in June when the Federal Trade Commission obtained a court order that led to the shutdown of the Triple Fiber Network (3FN) rogue ISP, harboring many of its command and control servers. However, this particular army of zombie computers has since regained traction and is now amongst the big players again.

IRS is probably the most spoofed governmental agency in illegal scams such as phishing, malware distribution or Nigerian 419 letters. However, tax administration government bodies in other countries have been targeted as well. Back in January, we reported a similar scheme spoofed Canada's Revenue Agency (CRA), in June, the Australian Tax Office (ATO) was targeted, while during July it was Her Majesty's Revenue & Customs turn.

Photo Gallery (2 Images)

IRS tax email scam spreads malware
IRS-spoofed scam email
Open gallery