Sponsored by..

Tuesday 14 August 2012

"Federal Tax" spam / wireframeglee.info

This tax-themed spam leads to malware on wireframeglee.info:


Date:      Tue, 14 Aug 2012 15:21:33 +0200
From:      "Internal Revenue Service" [alerts@irs.gov]
Subject:      Rejected Federal Tax transfer

Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.

Rejected Tax transaction
Tax Transaction ID:     38969777924999
Return Reason     See details in the report below
Tax Transaction Report     tax_report_38969777924999.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========

Date:      Tue, 14 Aug 2012 13:31:21 +0000
From:      "Internal Revenue Service" [support@irs.gov]
Subject:      Federal Tax payment canceled

Your federal Tax payment (ID: 903463682456), recently from your bank account was rejected by the your financial institution.

Rejected Tax transfer
Tax Transaction ID:     903463682456
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_903463682456.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========


Date:      Tue, 14 Aug 2012 14:42:19 +0200
From:      "Internal Revenue Service" [noreply@irs.gov]
Subject:      Your Federal Tax transaction

Your Tax transaction (ID: 80110764248536), recently initiated from your checking account was returned by the your Bank.

Canceled Tax transaction
Tax Transaction ID:     80110764248536
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_80110764248536.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

The malicious payload is at [donotclick]wireframeglee.info/main.php?page=39630332cf486f5a (report here) hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can.

2 comments:

Marco said...

Here is the report link:
http://wepawet.cs.ucsb.edu/view.php?hash=a86218221b491b623ca6ca8d9a8d0177&t=1344983762&type=js

Conrad Longmore said...

@Marco - thanks, I have added it.