New Twist in IRS Phishing Scams

Earlier today I got a new phishing scam in my inbox, this one for the IRS. I’d love a tax refund, but I don’t think this is how they normally notify you. The lure email is shown below, and is quite standard in its formatting. It even threatens you with criminal prosecution if you lie.


Date: Thu, 28 Feb 2008 15:10:22 -0500
From: Internal Revenue Service
Subject: Your Tax Refund (Message ID FV028T3)
.
A Secure Way to Receive Your Tax Refund
.
After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $746.35.
.
Please submit the tax refund request and allow us 3-9 days in order
to process it.
.
A refund can be delayed for a variety of reasons. For example
submitting invalid records or applying after the deadline.
.
To access the form for your tax refund, please click here
.
Note: For security reasons, we will record your ip-address, the date
and time. Deliberate wrong inputs are criminally pursued and indicated.
.
Regards,
Internal Revenue Service
.
Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

So far nothing special, until you click the link. It’s to an EXE, not to a website. When you download that and look, what you get is a locally hosted website with the phishing site shown below (broken in IE7):

IRS Phish_exe_screen.jpg

Analysis reveals that the executable will take your data and send it to at least two different server:

  • 3comport.sytes.net TCP port 5184
  • 64.28.177.140 TCP port 80

This is a new twist in phishing attacks that can bypass the normal URL filtering bar for malicious sites. It requires that the mechanism that determines if it’s a phishing site recognize that EXEs can also be used in phishing. It makes sense that this would evolve, I suspect we’ll see more of this soon.

I ran the sample through VirusTotal for an overview of the AV detection and saw that it’s not as well detected as it could be. See for yourself.

Complete scanning result of “IRS-Refunds.doc.exe”, processed in VirusTotal at 02/28/2008 22:01:41 (CET).

[ file data ]

  • name: IRS-Refunds.doc.exe
  • size: 363622
  • md5.: 1cc5d1aaf624829e76a149014ab00f27
  • sha1: 17ad552b164c4ce5c4b5ef899d43f575abe8db10
  • peid..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

[ scan result ]

AhnLab-V3 2008.2.28.2/20080228 found nothing
AntiVir 7.6.0.67/20080228 found nothing
Authentium 4.93.8/20080228 found nothing
Avast 4.7.1098.0/20080228 found nothing
AVG 7.5.0.516/20080228 found nothing
BitDefender 7.2/20080228 found [DeepScan:Generic.Malware.SFL!dld!g.AA140EE3]
CAT-QuickHeal 9.50/20080228 found [(Suspicious) – DNAScan]
ClamAV 0.92.1/20080228 found nothing
DrWeb 4.44.0.09170/20080228 found nothing
eSafe 7.0.15.0/20080228 found [suspicious Trojan/Worm]
eTrust-Vet 31.3.5571/20080228 found nothing
Ewido 4.0/20080228 found nothing
F-Prot 4.4.2.54/20080228 found nothing
F-Secure 6.70.13260.0/20080228 found [Suspicious:W32/Malware!Gemini]
FileAdvisor 1/20080228 found nothing
Fortinet 3.14.0.0/20080228 found nothing
Ikarus T3.1.1.20/20080228 found [Win32.SuspectCrc]
Kaspersky 7.0.0.125/20080228 found [Backdoor.Win32.Nuclear.cu]
McAfee 5241/20080228 found nothing
Microsoft 1.3301/20080228 found nothing
NOD32v2 2909/20080228 found nothing
Norman 5.80.02/20080228 found nothing
Panda 9.0.0.4/20080227 found [Suspicious file]
Prevx1 V2/20080228 found nothing
Rising 20.33.32.00/20080228 found nothing
Sophos 4.27.0/20080228 found nothing
Sunbelt 3.0.906.0/20080228 found [Trojan-PSW.Win32.Hooker.24.c (vf)]
Symantec 10/20080228 found nothing
TheHacker 6.2.9.229/20080225 found nothing
VBA32 3.12.6.2/20080227 found nothing
VirusBuster 4.3.26:9/20080228 found nothing
Webwasher-Gateway 6.6.2/20080228 found nothing

[ notes ]

  • packers: UPX

In the time between getting this sample, notifying people, and analyzing the sample, it was shut down. Good.

Comments are closed.