Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Fake stimulus payments InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake stimulus payments

Published: 2009-02-06
Last Updated: 2011-01-24 23:55:10 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Amy sent us in a note regarding an email she had received. It had a subject line of "Economic Stimulus Payment form ID: [SP-251.9475]" and an attachment. The contents were:

"After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a Stimulus Payment.
Please submit the Stimulus Payment form in order to process it.

A Stimulus Payment can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To submit your Stimulus Payment form, please download the attached document.

Note: If filing or preparation fees were deducted from your 2007 Refund or you received a refund anticipation loan, you will be receiving a check instead of a direct deposit.

Regards,
Internal Revenue Service"

Hmm, look fake?

The attachment was a HTML document named: "Economic Stimulus Payment.htm", the contents of which were:

"<scr1pt language="JavaScr1pt">
<!--
w1ndow.location="http://bagatela. com /carrostunados/ wp-content/upgrade";
// -->
</scr1pt>

When we retrieve that page we get:

<scr1pt language="JavaScr1pt">
<!--
w1ndow.location="http://hawsedc. com /thomas/stimulus.refund/0,, id=181665,00.html";
// -->
</scr1pt>

Which gave me a 404 when I attempted to grab a copy.

Moral of the story, if it looks too good to be true, it is. The IRS will hopefully not be emailing out forms for economic stimulus payments any time soon.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: fake irs stimilus trojan
0 comment(s)
Diary Archives