Number of Fake Electronic Tax Payment Emails Has Spiked

Security researchers warn that a ZeuS distribution campaign producing emails about failed electronic tax payments, has significantly increased its aggressiveness over the weekend.

The rogue emails started hitting inboxes earlier last week and come with a subject of "Your Tax Payment ID ######### is failed. Update information" (where # is a single digit).

Their from field is spoofed to appear as if they are originating from "EFTPS Tax Payment" <customers@eftps.gov> and instruct users that their tax payments submitted through the Electronic Federal Tax Payment System has (EFTPS) failed.

Furthermore, the messages claim that the payment failed with an R21 error code and provide a link allegedly to obtain additional information.

Clicking on this link takes recipients through a series of redirects until they land on a drive-by download page, where their computers are targeted with exploits for outdated versions of several popular applications.

Successful exploitation results in a variant of the infamous ZeuS banking trojan being installed on the targeted systems.

This malware is commonly used by fraudsters to steal online banking credentials, credit card details and other sensitive information.

According to researchers from email security provider AppRiver, the number of these ZeuS distribution emails has spiked during Saturday, with over 100 new domains being used in the attack.

"At one point this morning we were seeing rates at nearly thirty thousand per minute of these messages hitting our filters," AppRiver's Troy Gill writes.

The sudden increase might have been triggered by the fact that Friday, October 15, was the deadline for submitting the quarterly tax payments in US and people would have been more vulnerable.

The Electronic Federal Tax Payment System (EFTPS) dates back to 1996 and starting with January next year, it will become the default tax payment method for businesses.

ZeuS is a sophisticated threat that poses a lot of danger to companies and organizations. Last month, authorities in US, UK and Ukraine dismantled a network of criminals, who used the trojan to steal more than $70 millions from businesses.