New Twist in IRS Phishing Scams
Earlier today I got a new phishing scam in my inbox, this one for the IRS. I’d love a tax refund, but I don’t think this is how they normally notify you. The lure email is shown below, and is quite standard in its formatting. It even threatens you with criminal prosecution if you lie.
Date: Thu, 28 Feb 2008 15:10:22 -0500
From: Internal Revenue Service
Subject: Your Tax Refund (Message ID FV028T3)
A Secure Way to Receive Your Tax Refund
After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $746.35.
Please submit the tax refund request and allow us 3-9 days in order
to process it.
A refund can be delayed for a variety of reasons. For example
submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Note: For security reasons, we will record your ip-address, the date
and time. Deliberate wrong inputs are criminally pursued and indicated.
Internal Revenue Service
Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.
So far nothing special, until you click the link. It’s to an EXE, not to a website. When you download that and look, what you get is a locally hosted website with the phishing site shown below (broken in IE7):
Analysis reveals that the executable will take your data and send it to at least two different server:
- 3comport.sytes.net TCP port 5184
- 184.108.40.206 TCP port 80
This is a new twist in phishing attacks that can bypass the normal URL filtering bar for malicious sites. It requires that the mechanism that determines if it’s a phishing site recognize that EXEs can also be used in phishing. It makes sense that this would evolve, I suspect we’ll see more of this soon.
I ran the sample through VirusTotal for an overview of the AV detection and saw that it’s not as well detected as it could be. See for yourself.
Complete scanning result of “IRS-Refunds.doc.exe”, processed in VirusTotal at 02/28/2008 22:01:41 (CET).
[ file data ]
- name: IRS-Refunds.doc.exe
- size: 363622
- md5.: 1cc5d1aaf624829e76a149014ab00f27
- sha1: 17ad552b164c4ce5c4b5ef899d43f575abe8db10
- peid..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
[ scan result ]
AhnLab-V3 2008.2.28.2/20080228 found nothing AntiVir 220.127.116.11/20080228 found nothing Authentium 4.93.8/20080228 found nothing Avast 4.7.1098.0/20080228 found nothing AVG 18.104.22.1686/20080228 found nothing BitDefender 7.2/20080228 found [DeepScan:Generic.Malware.SFL!dld!g.AA140EE3] CAT-QuickHeal 9.50/20080228 found [(Suspicious) – DNAScan] ClamAV 0.92.1/20080228 found nothing DrWeb 4.44.0.09170/20080228 found nothing eSafe 22.214.171.124/20080228 found [suspicious Trojan/Worm] eTrust-Vet 31.3.5571/20080228 found nothing Ewido 4.0/20080228 found nothing F-Prot 126.96.36.199/20080228 found nothing F-Secure 6.70.13260.0/20080228 found [Suspicious:W32/Malware!Gemini] FileAdvisor 1/20080228 found nothing Fortinet 188.8.131.52/20080228 found nothing Ikarus T184.108.40.206/20080228 found [Win32.SuspectCrc] Kaspersky 220.127.116.11/20080228 found [Backdoor.Win32.Nuclear.cu] McAfee 5241/20080228 found nothing Microsoft 1.3301/20080228 found nothing NOD32v2 2909/20080228 found nothing Norman 5.80.02/20080228 found nothing Panda 18.104.22.168/20080227 found [Suspicious file] Prevx1 V2/20080228 found nothing Rising 20.33.32.00/20080228 found nothing Sophos 4.27.0/20080228 found nothing Sunbelt 3.0.906.0/20080228 found [Trojan-PSW.Win32.Hooker.24.c (vf)] Symantec 10/20080228 found nothing TheHacker 22.214.171.124/20080225 found nothing VBA32 126.96.36.199/20080227 found nothing VirusBuster 4.3.26:9/20080228 found nothing Webwasher-Gateway 6.6.2/20080228 found nothing
[ notes ]
- packers: UPX
In the time between getting this sample, notifying people, and analyzing the sample, it was shut down. Good.