14 DAY TRIAL // Bogus tax-themed emails are often used against internauts from US in an effort to trick them into handing over sensitive information, or to get them to install a piece of malware on their computers. However, experts warn that people from the UK should also be on the lookout for such malicious notifications.
A perfect example is a spam campaign that leverages the name of Her Majesty's Revenue and Customs (HMRC). Trend Micro experts say that bogus VAT return emails are being used to spread ZeuS (ZBOT), the well-known data-stealing malware.
“Thank you for sending your VAT Return online. The submission for reference 7809740 was successfully received on Wed, 24 July 2013 08:38:54 +0100 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork,” the bogus emails read.
The file that’s attached to these messages – an archive named something like “VAT_7808740.zip” – is not a receipt for the VAT return. Instead, it hides a piece of malware detected by Trend Micro as TSPY_FAREIT.ADI.
Once it’s installed on a computer, the threat looks for information related to file managers, email, FTP clients and various web browsers, including Chrome, Internet Explorer, K-Meleon, Firefox, Opera, Flock Browser, RockMelt and FastStone.
In addition to stealing data, the malware downloads a piece of spyware dubbed TSPY_ZBOT.ADD.
“The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts,” Trend Micro’s Gelo Abendan noted in a blog post.
“Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss,” Abendan added.