Data443 & Cyren
Products
- - - Products
    - For OEMs
    - Malware Detection
    - Malware Analysis
    - URL Categorization
    - Email Security
    - Threat Intelligence
    - For Enterprises
    - Malware Analysis
    - Inbox Security for Office 365
    - Threat Intelligence
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
Solutions
- - - Expert Support
      
      Cyren’s dedicated security analysts have the expertise to deeply investigate sophisticated threats – their embedded documents and messy code.
      
      And from their vantage point across companies, geographies, and industries, analysts can track emerging attack vectors and prevent breaches.
      
      “For any false positive or user reported items, we do not need to be involved. Cyren’s dedicated team is on top of all these items.”
      
      via Gartner Peer Insights
Resources
- - - Recent Posts
      - Analyzing behavior to protect against BEC attacks December 22, 2022
      - Using NLP techniques to protect against BEC attacks December 8, 2022
      - Phishing with QR codes December 1, 2022
Company
- - - Company
    - About Cyren
    - Careers
    - Management
    - In the News
    - Contact Us
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
BOOK A DEMO

Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

“Your IRS EFTPS payment rejected” – Emails lead to malware on over 2,500 domains

“Your federal tax payment was rejected”. We imagine that the sight of these words would make even the most security-aware individuals click on anything in sight as they race to resolve this troubling news. In the last 24 hours Commtouch Labs has detected vast quantities of emails that inform recipients of payments that have been rejected by the Electronic Federal Tax Payment System (EFTPS). A sample is shown below:

Email text:

Your federal Tax payment (ID: ---), recently initiated from your checking account

 was rejected by the The Electronic Federal Tax Payment System.

Rejected Tax transfer

Tax Transaction ID:                 -----

Rejection Reason                     See details in the report below

Tax Transaction Report tax_report_58715026253962.pdf.exe (self-extracting archive, Adobe PDF)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

The emails all use “irs.gov” addresses with fake employee names in the “from” field. The image is downloaded directly from the IRS site. We note the neat addition of “self-extracting archive” next to the file name – apparently to allay the fears of users who are wary of opening executable files.

The links lead to any of 2,500 domains (!) that we have tracked related to these emails. All of the domains were registered in the last 48 hours. The destination pages (confusingly) shows a “404 not found” messages which actually hides the script that starts the “PDF” file download. The downloaded filename for this site was: TAX45368001.pdf.exe.

When a user opens the file the malware takes the following actions that seem characteristic of a bot/password stealer:

It sets itself up to run on Windows startup
Drops 3 files:
- C:Documents and SettingsuserApplication DataIwabboji.ybe
- C:Documents and SettingsuserApplication DataQyfewoobx.exe
- C:DOCUME~1userLOCALS~1Temptmp97e95e58.bat – this file just deletes the original executable.
It injects a thread into explorer.exe which downloads an encrypted blob from vesv—-wtytz.biz.
It listens on port 27032 for connections.
It injects threads into most other running processes.

Commtouch’s Command Antivirus detects this malware as: W32/Heuristic-300!Eldorado.

Users of the EFTPS system are advised to take note of the reminder at the top of the EFTPS page:

Remember! EFTPS values your privacy and security and will never attempt to contact you via e-mail. If you ever receive an e-mail that claims to be from EFTPS or from a sender you do not recognize that mentions a payment made through EFTPS, forward the e-mail to phishing@irs.gov or call the Treasury Inspector General for Tax Administration at 1.800.366.4484

Jun 22, 2011 | Security Research & Analysis

Categories

You might also like

Analyzing behavior to protect against BEC attacks

Business Email Compromise

Understanding “normal” behaviors in email exchanges are key to combating advanced phishing and BEC attacks by John Stevenson Detecting Business Email Compromise (BEC) In the final part of our series of blogs on Business Email Compromise (BEC), it’s time to look at how...

Using NLP techniques to protect against BEC attacks

Business Email Compromise, Office 365, Phishing

How Natural Language Programming help combat phishing and BEC attacks by John Stevenson Business Email Compromise (BEC) Business Email Compromise (BEC) covers a range of email attacks that typically share a common core attribute. There is no obvious executable...

Phishing with QR codes

Phishing, Security Research & Analysis

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...