Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Zeus wants to do your taxes InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Zeus wants to do your taxes

Published: 2010-03-25
Last Updated: 2010-03-25 20:44:53 UTC
by Kevin Liston (Version: 2)
0 comment(s)

I've received reports of suspicious emails claiming to be from the IRS.  It's a common scheme to get a user to click and run an executable.

It looks like zeus/zbot to me (more on that here: their cert is a little non-standard,) but I can't share the details yet.  If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via:

 The email looks something like (thanks for sharing Michael!):

Subject: Underreported Income Notice
Taxpayer ID: <recipient>-00000198499136US

Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

Internal Revenue Service


 The download in this particular link was "tax-statement.exe."

If you want to check out your own logs to catch this and similar attacks, I'd suggest looking for domains that look like<stuff> and downloaded executables with the word "tax" in them.

For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it.

Keywords: zbot zeus
0 comment(s)
Diary Archives