Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Zeus wants to do your taxes InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Zeus wants to do your taxes

Published: 2010-03-25
Last Updated: 2010-03-25 20:44:53 UTC
by Kevin Liston (Version: 2)
0 comment(s)

I've received reports of suspicious emails claiming to be from the IRS.  It's a common scheme to get a user to click and run an executable.

It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,) but I can't share the details yet.  If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html

 The email looks something like (thanks for sharing Michael!):

Subject: Underreported Income Notice
Taxpayer ID: <recipient>-00000198499136US
Tax Type: INCOME TAX

Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

Internal Revenue Service

hxxp://www.irs.gov.assewyx.co.uk/fraud.applications/application/statement.php?

 The download in this particular link was "tax-statement.exe."

If you want to check out your own logs to catch this and similar attacks, I'd suggest looking for domains that look like www.irs.gov.<stuff> and downloaded executables with the word "tax" in them.

For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it.

Keywords: zbot zeus
0 comment(s)
Diary Archives