Sponsored by..

Wednesday 26 September 2012

IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.


Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net

No comments: