Monday, March 18, 2013

Tax Season is Malware Season

In the United States, personal income taxes are due for every worker on April 15th.  The period of time from about January 31st until April 15th is when most of us file our taxes, which means Cyber Criminals love to imitate tax related services during this time.

Each day we review Today's Top Threats for the Malcovery "T3" report.  Quite a few of them have imitated tax related issues, from the Internal Revenue Service (IRS) themselves, to Intuit, the makers of the popular TurboTax software, to assorted warnings that problems have occurred with your filing.

Here are a few of my recent favorites:

Feb 12, 2013:  IRS

Our email subjects for this campaign sounded serious:

 count |                                         subject                                         
-------+------------------------------------------------------------------------------------------
   446 | surcharge for delay of tax return filling
   381 | forfeiture for delay of tax return filling
   363 | forfeit for delay of tax return filling
   361 | pecuniary penalty for delay of tax return filling
   350 | fine for delay of tax return filling
   315 | penalty for delay of tax return filling
   124 | Income Tax Refund TURNED DOWN
   108 | Income Tax Refund NOT ACCEPTED
    94 | Income Tax Refund NOT APPROVED
    90 | Income Tax Refund RETURNED
    87 | Income Tax Refund CANCELED
    74 | Income Tax Refund REJECTED



In this case there were at least 59 hacked websites that were advertised in the spam messages.  Here are some of the top ones:


count machinepath
519www.buyonlineclothing.com//wp-content/themes/mantra/uploads/rjtd_irs.html
361www.stuterisb.se/wp-content/uploads/fgallery/irs_rjtr.html
313www.michaeldauphinais.com//wp-content/themes/mantra/uploads/rjtd_irs.html
200trademarksprotected.com//wp-content/themes/mantra/uploads/irs_rjtr.html
100www.cowcomco.com//wp-content/themes/mantra/uploads/rjtd_irs.html
88www.hugoflores.net//wp-content/themes/mantra/uploads/rjtd_irs.html
79www.dvla-plates.com//wp-content/themes/mantra/uploads/rjtra_irs.html
77energeticfitness.com/wp-content/plugins/mm-forms-community/upload/temp/irs_rjtra.html
66www.electronicsreviewers.com//wp-content/themes/mantra/uploads/rjtra_irs.html
64www.newhavenfreestore.com/wp-content/plugins/mm-forms-community/upload/temp/irs_rjtr.html
63www.ordinarycoder.com//wp-content/themes/trulyminimal/includes/framework/plugins/rjtra_irs.html
62www.100daystochangemylife.com//wp-content/themes/mantra/uploads/rjtd_irs.html
56cliptogive.com/wp//wp-content/themes/mantra/uploads/rjtd_irs.html
53www.jimhyland.com//wp-content/themes/mantra/uploads/rjtra_irs.html
51www.nicejordans23.com/Jordanblog//wp-content/themes/mantra/uploads/rjtd_irs.html
41futurizekorea.com//wp-content/themes/mantra/uploads/irs_rjtr.html
38www.misslulublogs.com//wp-content/themes/trulyminimal/includes/framework/plugins/irs_rjtr.html
37notfatnow.com/irs_rjtr.html
35swanirubber.com/Blog//wp-content/themes/mantra/uploads/rjtra_irs.html
34troutkinglures.com/store-front//wp-content/themes/mantra/uploads/rjtra_irs.html
34www.amir-jafari.com//wp-content/themes/mantra/uploads/rjtd_irs.html
32www.hungergamesreporter.com//wp-content/themes/mantra/uploads/irs_rjtra.html
28www.nolahelper.com//wp-content/themes/mantra/uploads/irs_rjtr.html
28jyaproductora.com//wp-content/themes/mantra/uploads/irs_rjtr.html
22www.shuckabuck.com//wp-content/themes/mantra/uploads/irs_rjtr.html
22www.mamanbandante.com//wp-content/themes/mantra/uploads/irs_rjtr.html
21stjudeintercession.com/prayer/wp-content/plugins/mm-forms-community/upload/temp/rjtra_irs.html

Feb 14, 2013: TurboTax

In this campaign, the spammers hope we will believe that TurboTax is informing us that our "State Tax Return" has been rejected. In reality the "please find information attached" is a zip file with a randomly named file name (tax_RANDNUMBERS.zip). The zip file (MD5 = '44e31cab12de506e9b7e9df3c4414cef') is quite widely detected now, but that was not the case on the day of the campaign.

Mar 13, 2013: Intuit

The poor English in the subject on this spam message: "Payroll Account Holded by Intuit" may have helped prevent victimization.

But there were still 146 hacked websites that were each being used to redirect traffic to the Black Hole Exploit server. Despite the fact that this spam campaign is now six days old, many of these links are still active. A link followed this morning (March 19, 2013) redirects to the website "heelicotper.ru" on the path "forum/links/column.php". This domain resolves to 89.110.131.10, 132.230.75.95, 188.165.202.204, and 50.22.0.2. Even six days after the attack, several of the links sent in the original spam message are still functional, and will stop drop malware from the exploit server. (This morning we got a file that renamed itself to KB01148523.exe, which disguises itself as an "Advanced display adapter" driver update, claiming to be by "Microsoft Corporation". The file has the MD5 8fe6968cab2b12ae486628c1a07cb86. How do you detect which machines in your network might be infected, since the detection rate (currently 9 of 46 at VirusTotal) means that AVG, Avast, F-Prot, Microsoft, Symantec, Sophos, and Trend Micro would not detect this malware. We recommend looking for the BEHAVIOR of this malware in your network or web proxy logs. If someone visited one of the sites below, or more importantly, visited the site they redirect to - heelicotper.ru - then that machine needs to be examined and remediated.



19 | www.mysteam.ru | /report.htm
19 | z-la.ru | /report.htm
12 | www.sellpei.com | /report.htm
11 | cs.4id.lv | /report.htm
11 | elyospride.snl.su | /report.htm
11 | pokemons.ru | /report.htm
10 | forum.parkourfamilygomel.com | /report.htm
9 | www.talkgolf.org | /report.htm
9 | cs.ittf.com.ua | /report.htm
9 | renaults.net | /report.htm
9 | www.netmfdevices.com | /report.htm
9 | bin-cs.ru | /report.htm
8 | forum.diavolo-rp.ru | /report.htm
8 | deltanineairsoft.com | /report.htm
8 | forum.s1mpluworld.ru | /report.htm
8 | onlyfan.ru | /report.htm
8 | www.j-hero.com | /report.htm
8 | fr.underworld.alwaysdata.net | /report.htm
8 | forum.muapocalypse.ru | /report.htm
8 | mv-forum.free-h.net | /report.htm
7 | forum.gornofwar.ru | /report.htm
7 | skibukovel.ru | /report.htm
7 | stargate-radio.com | /report.htm
7 | forumgg.xost.me | /report.htm
7 | gartepiopv2.altervista.org | /report.htm
7 | evostrike.ro | /report.htm
7 | reprobatessouthwest.co.uk | /report.htm
7 | halo117.com | /report.htm
7 | www.vfpr.ru | /report.htm
7 | www.uobview.com | /report.htm
7 | orioncraft.ru | /report.htm
7 | www.firearmschat.com | /report.htm
7 | konsolowisko.pl | /report.htm
6 | scorpions-wot.tk | /report.htm
6 | www.ultravioletphotography.com | /report.htm
6 | la2nebesa.ru | /report.htm
6 | shieldandsword.ru | /report.htm
6 | accademiaminer.altervista.org | /report.htm
6 | xn--l1adgmc.xn--80ahx8f.xn--e1apq.xn--p1ai | /report.htm
6 | isage.nes.org.sg | /report.htm
6 | veni_vidi_vici.byethost14.com | /report.htm
6 | h2hproject.in | /report.htm
6 | chronic.bplaced.net | /report.htm
6 | forum.xboxarea.com | /report.htm
6 | zabijamy.pl | /report.htm
6 | forum.patriots-cs.ru | /report.htm
6 | forum.myaion.su | /report.htm
6 | kpoxi.ru | /report.htm
6 | www.maxhimitalo.com | /report.htm
6 | elitegamer.ru | /report.htm
6 | turbotamil.org | /report.htm
6 | forum.classicgunz.com | /report.htm
6 | forum.mineclub.org | /report.htm
5 | sinto-online.ru | /report.htm
5 | forum.mccxcix.com | /report.htm
5 | fast-break.org | /report.htm
5 | ps-elumination.com | /report.htm
5 | www.survival-soundz.com | /report.htm
5 | forum.gtr-site.info | /report.htm
5 | poker-hunter.ru | /report.htm
5 | forum.vtex.com.br | /report.htm
5 | forumkulturystyka.com | /report.htm
5 | cs.justbe.pro | /report.htm
5 | 20h27.com | /report.htm
5 | wowfatalityforum.byethost16.com | /report.htm
5 | ptw.lv | /report.htm
5 | l2javelline.ru | /report.htm
5 | darkube.net | /report.htm
5 | wdhe.ru | /report.htm
5 | chatpat.org | /report.htm
5 | www.medics-corpsmen.com | /report.htm
5 | kompstart40.ru | /report.htm
5 | allstudents.net.ru | /report.htm
5 | forum.darkube.net | /report.htm
5 | cs-gold.net | /report.htm
5 | snails-city.ru | /report.htm
5 | azcsforums.com | /report.htm
5 | nightcore.pl | /report.htm
5 | necroz-team.ru | /report.htm
4 | s13club.ru | /report.htm
4 | code-projects.com | /report.htm
4 | lamanserlo.com | /report.htm
4 | zym-server.ru | /report.htm
4 | forum.g-o-d.ru | /report.htm
4 | tagyl.web-planet.cz | /report.htm
4 | gpro.ro | /report.htm
4 | dev.diypedia.ro | /report.htm
4 | playsense.ru | /report.htm
4 | plastidipforum.ru | /report.htm
4 | forum.gzone.info | /report.htm
4 | ots.hmhost.pl | /report.htm
4 | wsat.kz | /report.htm
4 | www.medforum.md | /report.htm
4 | forum.anivisions.ru | /report.htm
4 | forum.mafiacrafting.ru | /report.htm
4 | www.cso-original.ru | /report.htm
4 | xn--80adfeab9argno2mtb.xn--p1ai | /report.htm
4 | www.adminwebmaster.com | /report.htm
4 | corp.spinco.info | /report.htm
4 | fot-cs.p.ht | /report.htm
4 | forums.deimoscorp.eu | /report.htm
4 | homou.org | /report.htm
4 | www.foxiran.com | /report.htm
4 | starkmuebles.com | /report.htm
4 | myforester.ru | /report.htm
4 | kolosov89.tmweb.ru | /report.htm
4 | forum.nephridie.com | /report.htm
4 | forums.agueraton.net | /report.htm
4 | yachtdream.ru | /report.htm
3 | www.e-treedental.com | /report.htm
3 | www.team-increment.com | /report.htm
3 | forum.hansen-ro.com | /report.htm
3 | www.modernmetal.pl | /report.htm
3 | s382436236.websitehome.co.uk | /report.htm
3 | forum.pandaro.ru | /report.htm
3 | spokupki.org | /report.htm
3 | forum.myevoque.ru | /report.htm
3 | sochaczew24h.pl | /report.htm
3 | iiibforever.altervista.org | /report.htm
3 | soft-droid.ru | /report.htm
3 | extradrive.ru | /report.htm
3 | www.lendagames.com | /report.htm
3 | forum.waytotruth.in.ua | /report.htm
3 | www.sosaria.com.br | /report.htm
3 | forum.aion-lightning.su | /report.htm
3 | forum.samp-ml.ru | /report.htm
3 | vipshara.net | /report.htm
3 | art-tm.net | /report.htm
3 | wst-team.ru | /report.htm
3 | driftnsk.ru | /report.htm
2 | ingameclan.myarena.ru | /report.htm
2 | www.fifa-online.pl | /report.htm
2 | angel-css.ru | /report.htm
2 | www.club2108.com | /report.htm
2 | ostrza.arieth.com | /report.htm
2 | www.coachownersclub.com | /report.htm
2 | abt.id.lv | /report.htm
2 | foro.ateneahost.com | /report.htm
2 | hohyunworld.com | /report.htm
2 | www.piratas4x4.com | /report.htm
2 | evgamer.com | /report.htm
1 | e-war.ws | /report.htm
1 | resist.kiev.ua | /report.htm
1 | reamhosting.com | /report.htm
1 | www.sandsofdestiny.net | /report.htm

Mar 13, 2013: EFTPS

Last for now, the spam claiming to be from "The Electronic Federal Tax Payment System" (EFTPS) had a different subject for every email, based on a random number stuck in the subject line. "Tax Payment N (RANDOM NUMBER HERE) is failed."

Seventy-eight hacked websites were used by this one to redirect visitors to a Black Hole Exploit Server . . . Just like above, the "loading.htm" pages will redirect to a Black Hole Exploit server, that will drop malware onto your computer.


count | machine | path
-------+---------------------------------------------+--------------
32 | forum.myfaberlic.com.ua | /loading.htm
26 | forum.garudaflyff.web.id | /loading.htm
25 | talk.altrock.us | /loading.htm
24 | l2-fallenlords.16mb.com | /loading.htm
23 | forum.rus-hw.ru | /loading.htm
23 | forum.gorod4217.ru | /loading.htm
23 | forums.farahfa.com | /loading.htm
22 | www.forum.deutschland1.ru | /loading.htm
21 | forum.mumonster.com.br | /loading.htm
20 | forum.xorezm.com | /loading.htm
20 | forum.esthus.ru | /loading.htm
20 | la2reckless.16mb.com | /loading.htm
20 | xn----7sbbhei2a7a0ag3e5ehq.xn--p1ai | /loading.htm
19 | forum.vp-css.ru | /loading.htm
19 | forum.sg-wars.com | /loading.htm
19 | la2.under.net.ua | /loading.htm
19 | ambition-bs.bplaced.net | /loading.htm
19 | forum.tiki-online.com | /loading.htm
18 | forum.lin2hero.ru | /loading.htm
18 | forum.bfkc.ru | /loading.htm
18 | cs.franyk.net | /loading.htm
18 | xn--90aefd3alei2i.xn--p1ai | /loading.htm
18 | forum.gr-trophy.ru | /loading.htm
18 | www.rteam.vinfo.fr.nf | /loading.htm
17 | forum.universe-life.ru | /loading.htm
17 | forum.oxuyun.com | /loading.htm
17 | forum.gaming-pro.net.ua | /loading.htm
16 | forum.fnatic.w2c.ru | /loading.htm
16 | forum.mineiros.pt | /loading.htm
16 | xn--l1adgmc.xn--90aicihxbb.xn--p1ai | /loading.htm
16 | forum.autoelectric33.ru | /loading.htm
16 | xbox.pp.ua | /loading.htm
15 | forum.pvp-extreme.ru | /loading.htm
15 | t4-11.mo3gov.net | /loading.htm
15 | forum.100portal.pl | /loading.htm
15 | foro.soranime.net | /loading.htm
15 | info-games.16mb.com | /loading.htm
15 | forum.arva-online.ru | /loading.htm
15 | piton.webuda.com | /loading.htm
15 | forums.egkrinkel.com | /loading.htm
15 | habboinfo.free-h.net | /loading.htm
15 | time-is-now.w2c.ru | /loading.htm
14 | theconfederatestates.net | /loading.htm
14 | forums.bluwavevirtual.org | /loading.htm
14 | forum.thehosthouse.co.uk | /loading.htm
14 | notched.16mb.com | /loading.htm
14 | talk.yumyumpers.ru | /loading.htm
14 | old.zagloba.me | /loading.htm
14 | forum.muzolandia.pl | /loading.htm
14 | ff.xokkeist.ru | /loading.htm
14 | nightcor.cluster015.ovh.net | /loading.htm
14 | rich-rpg.tw1.ru | /loading.htm
13 | forum.prb-fight.dp.ua | /loading.htm
13 | forum.cs-play.org | /loading.htm
13 | letsfiestar.com | /loading.htm
13 | 6.hamming.z8.ru | /loading.htm
13 | forum.l2-virus.net | /loading.htm
13 | elixrr.org | /loading.htm
13 | easy-host.tw1.ru | /loading.htm
13 | forum.mostpeople.ru | /loading.htm
13 | forum.skygsm.com | /loading.htm
13 | forum.wildspirit.su | /loading.htm
12 | forum.gamer-p.ru | /loading.htm
12 | www.forum.redknife-tm.ru | /loading.htm
12 | www.yozzteam.ru | /loading.htm
12 | 90218.d33a.web.hosting-test.net | /loading.htm
12 | forum.illusionsplay.com | /loading.htm
12 | rrp.ct8.pl | /loading.htm
12 | just-craft.vv.si | /loading.htm
12 | minecraft.fatalforces.com | /loading.htm
11 | forum.filix.ru | /loading.htm
11 | www.forum-csc.pp.ua | /loading.htm
11 | forums.consortiumguild.com | /loading.htm
10 | forum.aresus.ru | /loading.htm
10 | data-direction.hu | /loading.htm
9 | forum.dota-info.ru.yellow.intobservatory.ru | /loading.htm
8 | forum.lordsofeurope.ru | /loading.htm
7 | volyn.bplaced.net | /loading.htm
(78 rows)

No comments:

Post a Comment