by David Michmerhuizen & Luis Chapetti – security researchers
The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction. Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication. What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.
The messages don’t give you much to be suspicious about at first. They come from a generic looking name and use the email-id of the recipient as the subject.
The text itself is very well written, as well it should be. It is an almost exact cut and paste of an IRS announcement from 2004. To be precise, IR-2004-67.
The item to examine closely is the link embedded near the bottom of the message. Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names. In this case it’s irsgovnews.com (warning: do not visit that domain in your Web browser!)
If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.
Previous spam efforts required you to click “Run” in order to install the malware payload. The use of an exploit kit in this case means that Zeus is installed without user interaction. Once you click the link in the email, it’s game over.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.