June, 2008 A new targeted threat using blended web-based malware has emerged in the form of an email purporting to be from the Internal Revenue Service. The new attack, which is similar to those previously identified from other organizations, is highly targeted and includes very specific recipient information, including the individual's name, company information, and phone number, increasing the perception of legitimacy. In this instance, the recipient is notified of a deficiency in payment and is provided with a link to the specific documentation to the case.

When the recipient of the email clicks on the link included in the email to download additional documentation, they are directed to a webpage under the domain "tax-revenue.com" (Warning: do not click any link or navigate to the website as it does contain malware). A malicious file acrobat.dll is automatically downloaded and the system registry is modified to run the malware at the next reboot. The malware is a backdoor that allows remote control of the system. Click here to see full-size of image the web page at left.

Unlike some blended threats, users only need to navigate to the web page to activate the malware download. It is recommended that users do not click on any links in email to navigate to questionable sites.

Because it is a targeted attack, this type of malware attack is not typically blocked by filters looking for high-volume attacks. In addition, the attack circumvents traditional anti-virus methods by shifting the attack to the web, and therefore avoiding signature-based AV gateways.

Anyone who receives a suspect email purporting to be from the IRS may visit the IRS webpage to view IRS communication policies and how to submit questionable emails for review.

Click here to return to Threats