September 22, 2009
IRS Notice of Underreported Income Phish Continues to be Widely Distibuted
[Update - April 6, 2010: This particular phishing attack, and attacks like it, always become more prevalent as the April 15th tax deadline approaches. I've been observing an increase in visits to this page, so no doubt that this is happening once again. Note that the IRS's own website contains information on how to report phishing scams in this article. And, just to stress this one more time: The IRS never uses e-mail to contact taxpayers about their tax issues.]
Other security vendors have been reporting this and I can verify that it's true... This phishing attack with messages titled "Notice of Underreported Income" continues to be widely spammed.
One of my personal "spam trap" type accounts contained six of these things from just this morning. (As an aside, Proofpoint's anti-spam engine has blocked these since they first appeared... never seen one in my Proofpoint-protected accounts.) You can click the image for a full-size GIF sample, but the text of all of these reads as follows:
Taxpayer ID: [email address]-[numbers]
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
review tax statement for taxpayer id: [email address]-[numbers]
Internal Revenue Service
The links have the format:
www.irs.gov.[fraudulent host domain]/fraud_application/directory/statement.php?
Following such a link is a bad idea, of course, but those that do are presented with a fake IRS information page with a link to an executable, which apparently installs the Zbot Trojan (aka Zeus Bot Trojan), an information stealing Trojan. (You can read more about Zbot at our anti-virus partner F-Secure's site.)
I'm told that the source of these emails is the Pushdo botnet. This email is reminiscent of the UK HMRC tax refund scam I blogged about previously. As I did in that post, I'll reiterate Proofpoint's "Golden Rules" for staying safe online:
[Update: April 6, 2010 - This list has been enhanced with Proofpoint's 2010 "Seven Simple Rules for Staying Safe Online"]
1. Be aware: View with suspicion any email with requests for personal IDs, financial information, user names or passwords. Your bank, online services, government agencies or legitimate online stores are unlikely to ask you for this type of information via email. Consumers should also be suspicious of similar emails that appear to come from an employer or friend. Never send personal financial information such as credit card numbers and Social Security numbers via email.
Today’s malicious emails and phishing attacks are disguised as communications from all sorts of organizations, including government agencies, software vendors and money transfer services, as these examples from the Proofpoint Email Security Blog show.
2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments from anything but 100 percent trusted sources. Links embedded in emails may take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.
3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure.
4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site and ensure that the page you are using is secure before entering sensitive information.
5. Keep an eye on your accounts: Check the accuracy of your credit card and bank statements on a regular basis, especially during this time of continued economic unease. If you see anything suspicious, contact the financial institution immediately.
6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook and Twitter are increasingly used to deliver the same kinds of scams and malicious links to unsuspecting users. Spammers and malware writers are riding the social media wave, commonly using malicious, but convincing, emails that masquerade as notifications such as friend requests or message notifications. Keep all of the preceding tips in mind when using the latest communication tools.
7. Make security your first stop: Always make sure that your net-connected computers are protected by a good desktop anti-virus or Internet security solution—and that you keep your subscription up to date! Reputable vendors include F-Secure, McAfee and Symantec. Be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers commonly lead to fraudulent anti-virus solutions that are actually malicious software.