by Dave Michmerhuizen & Luis Chapetti – security researchers
Just in time for the U.S. tax filing deadline, the Barracuda Labs spam honeypots have detected a surge in spam intended to scare harried tax filers into letting down their guard.
Tax time is stressful and many of us are sifting through piles of forms and receipts. It can be difficult to remember to be skeptical of that official-looking that appears to be from the Internal Revenue Service. Yet skeptical is what you should be, because the the IRS is a favorite target for spammers and phishers to impersonate. Lets look at three samples.
The first spam is from a phishing campaign that has been active since at least 2008. Aimed primarily at immigrants, it presents a dense thicket of poorly written gobbledygook stating that the recipient is not subject to taxes on certain unspecified interest.
A PDF of form W-4100B2 is attached and you are encouraged to fill it out and fax it to a number provided in the email. The form asks for practically every piece of sensitive financial information an identity thief could want, including Social Security numbers, debit and credit card numbers with codes and even passport numbers.
However, the fact is that there is no IRS form W-4100B2. The IRS has specifically stated that they “do not request detailed personal information through email.” Messages like this should be ignored.
The second spam has been used for phishing in the past, but in this year's incarnation it carries a nasty payload.
The salutation of “Hello Dear” isn't very convincing coming from the IRS. Still, the basic message that an electronic tax payment might be rejected might be enough to cause a harried office worker to open up the attachment. That would be a big mistake because although clicking on the attachment does not appear to do anything it actually does install Trojan.Zeus in the background. This Trojan horse runs silently, steals usernames and passwords and in this case sends them to a command and control server in Asia.
The last sample is from a campaign that is noteworthy for how it is carefully targeted to specific individuals. Usually spam campaigns are scatter shot affairs that send out large numbers of emails addressed to “Dear Sir / Madam”, as our first example showed. This “rule change notification” was seen using individual email addresses of real people, addressing them by their real name and company name.
Instead of new tax rules, the attached .zip file contains a Trojan.Downloader which installs a variety of other malware.
Again, the IRS has stated that it “does not initiate taxpayer communications through email,” and “does not request detailed personal information through email.” If a taxpayer has questions about emails such as these they should check with the IRS using contact information found in their local phone directory or www.irs.gov.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these spam emails. The Barracuda Web Filter, and/or the Barracuda Web Filtering Service block the traffic involved in the attacks.