Recently, cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a Black Hole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit.

More details:

Screenshot of the spamvertised IRS themed email:

Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:

Spamvertised URLs: hxxp://

Client-side exploits serving URLhxxp://

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Detection rate for a sample redirection script: MD5: 1ab7543c3c7857eec5014b3de5da362e detected by 3 out of 41 antivirus scanners as JS/Iframe.W!tr; Trojan-Downloader.JS.Iframe.czj.

Upon successful client-side exploitation, the campaign drops MD5: 6d7b7d2409626f2c8c166373e5ef76a5 on the affected hosts, currently detected by 30 out of 41 antivirus scanners as Trojan-Ransom.Win32.Gimemo.akxc

Also, as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victimhence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This