By Andrew Brandt
For several months, we’ve been seeing spam and phishing Web sites which purport to be IRS notifications of delinquent non-payment of income taxes. Who can blame the fraudsters — almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue.
In the UK, the counterpart to the IRS is called Her Majesty’s Revenue & Customs (or HMRC), even though it is the British government, and not the Queen’s Coldstream Guards, who dutifully stick a fork in the populace to pay up. The income tax filing deadline in the UK (for people who file using paper returns), October 31, is fast approaching. And a stern warning from the Taxman is no laughing matter, no matter where you live. So it was inevitable that we’d see this successful phishing routine repeated elsewhere (and, probably, again as we get closer to the UK’s electronic tax filing deadline, at the end of January).
The phish attempt begins with an email message warning users that they are about to incur penalties for “Unreported/Underreported Income.” In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions. The email links to a formal-looking Web page, which contains the officious message “Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement.“
Of course, the linked file isn’t a tax statement. It’s a malicious executable, just under 90KB in size, named tax-statement.exe. We classify the files as Trojan-Backdoor-Progdav (other vendors call this spy Zbot), a general-purpose smash-and-grab Trojan designed to give the malware’s distributor total control over the infected machine, mainly for the purpose of aiding identity theft.
The page where victims are sent, and where they download the Trojan “tax statement” installers, were well crafted duplicates that, to the untrained eye, look indistinguishable from the HMRC’s real Web site. For comparison, we’ve taken a screenshot of both sites, below. The crooks were clever enough to make sure that “hmrc.gov.uk” — the real domain used by HMRC — is included in the address they used.
As we’ve said before, not only is Progdav (Zbot) one of the most prolific Trojan backdoors in use today, but it’s also somewhat generic. That was in evidence when we looked at some of the strings in this particular Trojan sample, and found references to the Trojan’s ability to steal login secrets for Bank of America — a bank that doesn’t have a particularly large following (or customer base) in the UK.
Victims who fall for this trick should run a full scan of their hard drive, and change the passwords of any email service or Web site they’ve logged into since downloading and running the tax-statement.exe file.