Last Updated: 2010-03-25 20:44:53 UTC
by Kevin Liston (Version: 2)
I've received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable.
It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,)
but I can't share the details yet. If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html)
The email looks something like (thanks for sharing Michael!):
Subject: Underreported Income Notice Taxpayer ID: <recipient>-00000198499136US Tax Type: INCOME TAX Issue: Unreported/Underreported Income (Fraud Application) Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below): Internal Revenue Service hxxp://www.irs.gov.assewyx.co.uk/fraud.applications/application/statement.php?
The download in this particular link was "tax-statement.exe."
If you want to check out your own logs to catch this and similar attacks, I'd suggest looking for domains that look like www.irs.gov.<stuff> and downloaded executables with the word "tax" in them.
For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it.