Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

IRS Summer Tax forum – the things they don’t teach you

Lesson one: The IRS is a confirmed favorite of spammers, phishers and malware distributors. As an example consider the attacks from the last few weeks that have targeted users of the IRS’s electronic payment portal. This time the attack starts with an email about tax forums to train and serve the tax practitioner community. The content of the fraudulent email is almost the same as the article “IRS Tax Forums Planned for this Summer” from May, 2004 (!). The Cybercriminals have only change the dates and some words to make it more appealing for tax practitioners. The IRS has posted a note about this malware on their website.

The attachment is a blank document file which contains a malformed adobe flash that exploits the recent vulnerability CVE-2011-0611 that was discovered back in April.

The embedded flash contains the following Action Script:

After dumping the shellcode, the URL is visible at the end – this hosts the malware “g.exe” that will be downloaded and executed on the infected computer.

Commtouch’s Command Antivirus detects this malware as: Exploit/WRD.gen.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...