There's nothing particularly new with this IRS spam, but because spammers are stupid, all the examples that I have seen today have an invalid link and cannot be clicked through.Here is a sample:
Date: Mon, 5 Dec 2011 11:29:03 +0100
From: Bernadine_Woody@irs.gov
Subject: Federal Tax payment canceled
Your Tax payment (ID: 6318017800684), recently from your bank account was rejected by the your financial institution.
Canceled Tax transfer
Tax Transaction ID: 6318017800684
Reason for rejection See details in the report below
FederalTax Transaction Report tax_report_6318017800684.pdf (Adobe Acrobat Reader Document)
How does IRS e-file work?
A. You or your tax professional, prepare your tax return. In many cases, the tax professional is also the Electronic Return Originator (ERO) who is authorized to file your return electronically to the IRS. Ask your tax professional to file your return through IRS e-file.
You sign your electronic tax return by either using a Self-Select PIN for e-file for a completely paperless return, or by signing Form 8453, U.S. Individual Income Tax Transmittal for an IRS e-file Return.See " If the return is electronic, how do I sign it?" for more information.
After you sign the return using a Self-Select PIN or Form 8453,the ERO transmits the return to the IRS or to a third-party transmitter who then forwards the entire electronic record to the IRS for processing. Once received at the IRS, the return is automatically checked by computers for errors and missing information. If it cannot be processed, it is sent back to the originating transmitter (usually the ERO) to clarify any necessary information. After correction, the transmitter retransmits the return to the IRS. Within 48 hours of electronically sending your return to IRS, the IRS sends an acknowledgment to the transmitter stating the return is accepted for processing. This is your proof of filing and assurance that the IRS has your return information. The Authorized IRS e-file Provider then sends Form 8453 to the IRS.
If due a refund, you can expect to receive it in approximately three weeks from the acknowledgment date - even faster with Direct Deposit (half the time as when filed on paper). If you owe tax, see "What if I owe Money?" for payment options available this year.
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
After debugging the invalid URL and going through a couple of hacked legitimate sites, we find the malicious payload on twistloft.com/main.php?page=111d937ec38dd17e (The Wepawet report is here, do not visit this site unless you know what you are doing), hosted on 65.254.63.228. Blocking access that IP and domain name might be prudent.
2 comments:
I got this fake IRS email yesterday. It looked legit and I was off my guard and clicked on the pdf attachment. It opened Firefox but no page loaded. Does this mean nothing malicious got through to me? Thank you for blogging about this ... it's a real public service.
@David
Looks like the bad site might be down at the moment, however a scan with something like the F-Secure Online Scanner might be wise.
Post a Comment