14 DAY TRIAL // Security researchers warn of a new wave of fake Electronic Federal Tax Payment System (EFTPS) emails directing users to drive-by download websites that distribute the ZeuS banking trojan.
The fake emails claim the recipient’s electronic tax payment was rejected due to a error in the submission form. They read:
“Your Federal Tax Payment ID: ######## has been rejected. [where # is a digit] Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.
Please, check the information and refer to Code R21 to get details about your company payment in transaction contacts section:
http://eftps.gov/R21
In other way forward information to your accountant adviser.
EFTPS: The Electronic Federal Payment System PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.”
It’s clear from this message that this attack targets businesses, which as it happens will be forced to use EFTPS as default tax payment method starting from January 2011.
According to security researchers from M86 Security, who analyzed the emails, the included link takes users to an attack page that tries to exploit vulnerabilities in outdated versions of Java and Adobe Reader.
In particular, the exploit pack used targets four vulnerabilities in Java and one in Adobe Reader. Successful exploitation of any of them results in a variant of the ZeuS banking trojan being installed on the system.
The attack not only targets companies, but people who handle their funds in particular. This is because the ZeuS crimeware is commonly used to steal online banking credentials and perform banking fraud.
At the beginning of October, the FBI arrested 37 money mules who helped foreign cyberfraudsters in Eastern Europe to steal over $3 million from the accounts of small-sized US companies.