IRS Tax “Warning” Fraud Crosses the Pond, Targets the UK

by


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091013_hmrc_phish_page_cropFor several months, we’ve been seeing spam and phishing Web sites which purport to be IRS notifications of delinquent non-payment of income taxes. Who can blame the fraudsters — almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue.

In the UK, the counterpart to the IRS is called Her Majesty’s Revenue & Customs (or HMRC), even though it is the British government, and not the Queen’s Coldstream Guards, who dutifully stick a fork in the populace to pay up. The income tax filing deadline in the UK (for people who file using paper returns), October 31, is fast approaching. And a stern warning from the Taxman is no laughing matter, no matter where you live. So it was inevitable that we’d see this successful phishing routine repeated elsewhere (and, probably, again as we get closer to the UK’s electronic tax filing deadline, at the end of January).

The phish attempt begins with an email message warning users that they are about to incur penalties for “Unreported/Underreported Income.” In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions. The email links to a formal-looking Web page, which contains the officious message “Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement.

Of course, the linked file isn’t a tax statement. It’s a malicious executable, just under 90KB in size, named tax-statement.exe. We classify the files as Trojan-Backdoor-Progdav (other vendors call this spy Zbot), a general-purpose smash-and-grab Trojan designed to give the malware’s distributor total control over the infected machine, mainly for the purpose of aiding identity theft.

The page where victims are sent, and where they download the Trojan “tax statement” installers, were well crafted duplicates that, to the untrained eye, look indistinguishable from the HMRC’s real Web site. For comparison, we’ve taken a screenshot of both sites, below. The crooks were clever enough to make sure that “hmrc.gov.uk” — the real domain used by HMRC — is included in the address they used.

20091013_hmrc_page_comparison_text

As we’ve said before, not only is Progdav (Zbot) one of the most prolific Trojan backdoors in use today, but it’s also somewhat generic. That was in evidence when we looked at some of the strings in this particular Trojan sample, and found references to the Trojan’s ability to steal login secrets for Bank of America — a bank that doesn’t have a particularly large following (or customer base) in the UK.

20091013_hmrc_strings_crop_2_color

Victims who fall for this trick should run a full scan of their hard drive, and change the passwords of any email service or Web site they’ve logged into since downloading and running the tax-statement.exe file.
wordpress blog stats


Trackbacks

  1. [...] on the heels of the spam campaigns involving emails which purport to come from the IRS, HMRC, and from your IT department comes another round of fake “notification” spam emails [...]

  2. [...] saw over the past weekend a lot of old spam scams. Among these, we saw a new twist on the (now old) IRS/HMRC tax evasion warning [...]

  3. [...] attempt to convince the user that the mail comes from a legitimate source, such as the FDIC, IRS, HMRC (the UK’s tax authority), your IT department, or any of several well-known [...]

  4. [...] Brandt of US internet security company Webroot wrote a great blog about [...]

  5. [...] Control and Prevention. In the same vein as fake pages supposedly hosted on the Web servers of the IRS, FDIC, and other organizations, we’re seeing a new scam to infect computers with [...]

  6. [...] the same vein as fake pages supposedly hosted on the Web servers of the IRS, FDIC, and other organisations, we’re seeing a new scam to infect computers with [...]

  7. [...] Facebook “Update Tool,” CDC “H1N1 Flu Vaccination Profile,” and IRS “Tax Statement” emails and Web pages are at it again — this time, targeting Visa with a fake email [...]

  8. [...] Internet with bogus Facebook “Update Tool,” CDC “H1N1 Flu Vaccination Profile,” and IRS “Tax Statement” emails and Web pages are at it again — this time, targeting Visa with a fake email alert that [...]

  9. [...] the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft itself. The A-list organizations [...]

  10. [...] that the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft [...]

  11. [...] network has been in use for the past week delivering payloads on well-worn Outlook Web Access and HMRC Zbot download [...]

  12. [...] network has been in use for the past week delivering payloads on well-worn Outlook Web Access and HMRC Zbot download [...]

  13. [...] seen where the scammer sets up Web sites in the guise of such notable organizations as the IRS, CDC, Visa, and other organizations, or software programs like AOL Instant Messenger and Microsoft [...]

  14. [...] who distribute Trojan applications like Trojan-Backdoor-Zbot, in the guise of a wide variety of frauds, make no distinction between your credit card or email password. The Trojan simply takes every [...]

  15. [...] Bank of America, the FDIC, the American Bankers Association, NACHA, the IRS (and its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease [...]

  16. [...] And if you haven’t yet filed your taxes, but receive a “refund notification” email from the IRS (if you’re in the States), or the HMRC (if you’re in the UK), it is most likely a scam. [...]