A New Spam Campaign Abuses IRS to Distribute Malware
As the holiday season is over, cybercriminals are now turning up to the imminent tax season. Lately, the security company Trend Micro discovered that spammed messages claiming to be sent by the Internal Revenue Service (IRS) are delivering malware.
The spammed message carries the subject "W-2 Form update", apparently coming from the IRS, telling users that there's some modifications in the form and they are required to update it. The form reveals an employee's yearly salary and total tax.
Further, in order to update their details, the e-mail urges recipients to download an attached file Update.doc.
On opening the file, the user discovers an embedded PDF file, which is in fact an executable exploiting the PDF icon. On implementation, a backdoor is made on the user's system that enables the hacker to execute control on the system. Trend Micro has identified this malware as BKDR_POISON.BQA.
The security researchers informed that BKDR_POISON.BQA is an element of Darkmoon Remote Administration Tool (RAT), which allows a cybercriminal to run commands on the targeted machine. Fascinatingly, this backdoor tries to establish link with a private IP address (192.168.29.1). Still it is vague if this is because the hacker misconfigured it, or established it as an assault targeting an internal network.
Trend Micro's security experts claimed that the spammed messages look usual as the contact numbers and URLs given in it are authentic. This was perhaps done to prove the e-mail legit to recipients.
To evade being victim of the malware, security researchers strongly recommended recipients not to open any doubtful e-mail even if they have come from a supposedly familiar source. It is also advised that users should check with the IRS if the e-mail they got is genuine or not.
However, it is not the first time when criminals exploited IRS name for their malware crusade. In April 2009 also, the hackers used the similar method to target the non-resident aliens in the US who were expected to file a "Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding." But, the said certificate, FORM W-8BEN, which is attached to the mail, has been tampered to use as a phishing entrap.
Related article: A New "Blackmailing" Variant Creeps Around…
» SPAMfighter News - 20-01-2010