We have stopped another blended threat email campaign, which once again spoofs the Internal Revenue Service. The text-based email, which has a variety of subject lines, such as “the CP2000 notice (Underreported Income Notice),” asks recipients to “review your tax statement on Internal Revenue Service (IRS) website.” When someone clicks on the link, they are taken to a landing page that includes the
IRS Blended Threat Spam Landing Page
IRS header, as well as a link to the IRS Privacy Policy. On the landing page, visitors are asked to “Please review (download and execute) your tax statement.” The link on the page actually installs a version of the Zbot Trojan, which hides itself on compromised computers and allow remote attackers to steal bank-related information, log-in details and other personal data. This campaign is being sent from a botnet, has a moderate to high volume, and more than 2,000 unique sending IP addresses. A similar campaign was blocked in the fall of 2009.
As with past IRS spam warnings, the IRS has made it very clear that it does not communicate with individual taxpayers via email. Any email with the IRS’ brand is likely to be a scam, should be forwarded to the IRS at phishing@irs.gov and then deleted.
This campaign was detected by Red Condor’s Spam Trigger filter, which quickly identifies spam and phishing campaigns before they penetrate users’ networks. Once identified, the campaigns are quarantined and reviewed as rules are written and automatically distributed to Red Condor’s antispam appliance and Hosted Service customers.
