Select Page

Cyren Security Blog

IRS Summer Tax forum – the things they don’t teach you

Lesson one: The IRS is a confirmed favorite of spammers, phishers and malware distributors. As an example consider the attacks from the last few weeks that have targeted users of the IRS’s electronic payment portal. This time the attack starts with an email about tax forums to train and serve the tax practitioner community. The content of the fraudulent email is almost the same as the article “IRS Tax Forums Planned for this Summer” from May, 2004 (!). The Cybercriminals have only change the dates and some words to make it more appealing for tax practitioners. The IRS has posted a note about this malware on their website.

The attachment is a blank document file which contains a malformed adobe flash that exploits the recent vulnerability CVE-2011-0611 that was discovered back in April.

The embedded flash contains the following Action Script:

After dumping the shellcode, the URL is visible at the end – this hosts the malware “g.exe” that will be downloaded and executed on the infected computer.

Commtouch’s Command Antivirus detects this malware as: Exploit/WRD.gen.

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...