Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

IRS Summer Tax forum – the things they don’t teach you

Lesson one: The IRS is a confirmed favorite of spammers, phishers and malware distributors. As an example consider the attacks from the last few weeks that have targeted users of the IRS’s electronic payment portal. This time the attack starts with an email about tax forums to train and serve the tax practitioner community. The content of the fraudulent email is almost the same as the article “IRS Tax Forums Planned for this Summer” from May, 2004 (!). The Cybercriminals have only change the dates and some words to make it more appealing for tax practitioners. The IRS has posted a note about this malware on their website.

The attachment is a blank document file which contains a malformed adobe flash that exploits the recent vulnerability CVE-2011-0611 that was discovered back in April.

The embedded flash contains the following Action Script:

After dumping the shellcode, the URL is visible at the end – this hosts the malware “g.exe” that will be downloaded and executed on the infected computer.

Commtouch’s Command Antivirus detects this malware as: Exploit/WRD.gen.

You might also like

Protect Office 365 Email from Ransomware

Ransomware is continually evolving. It has become the “most prominent malware threat”, with experts estimating that ransomware attacks in 2021 resulted in total damage costs of $20 billion. While there is no ransomware that specifically targets Office 365 data, it can...