Sponsored by..

Showing posts with label IRS. Show all posts
Showing posts with label IRS. Show all posts

Friday 6 March 2015

Malware spam: "Your 2015 Electronic IP Pin!" / "Internal Revenue Service [refund.noreply@irs.gov]"

This fake IRS email comes with a malicious attachment.

From:    Internal Revenue Service [refund.noreply@irs.gov]
Date:    6 March 2015 at 08:48
Subject:    Your 2015 Electronic IP Pin!

Dear Member

This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.

Please kindly download the microsoft file to securely review it.

Thanks

Internal Revenue Service
915 Second Avenue, MS W180

So far I have only seen a single sample of this with an attachment TaxReport(IP_PIN).doc - although there are usually several different versions. Currently this is undetected by AV vendors. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://chihoiphunumos.ru/js/bin.exe

There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55. Automated analysis tools [1] [2] show attempted connections to:

92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)

According to the Malwr report this executable drops another version of itself [VT 1/56] and a malicious DLL [VT 2/56].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103

Friday 23 January 2015

Malware spam: "IRS Fiscal Activity 531065" / "support@irsuk.co"

This fake IRS spam actually does use the irsuk.co domain to host malware.

From:    IRS [support@irsuk.co]
Date:    23 January 2015 at 11:46
Subject:    IRS Fiscal Activity 531065

Hello, [redacted].

We notify you that last year, according to the estimates of tax taxation,
we had a shortage of means.
We ask you to install the special program with new digital certificates,
what to eliminate an error.

To install the program go to the link above:
http://irsuk.co/DownloadIRSService/SetupIRS2015.zip


Thanks
Intrenal Revenue Sevrice
London W1K 6AH
United Kingdom
The ZIP file contains a malicious executable SetupIRS2015.exe  which has a VirusTotal detection rate of 8/53. The irsuk.co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux.com (78.24.219.6 - TheFirst-RU, Russia)

The WHOIS details for the domain are almost definitely fake, but kind of interesting..

Registrant ID:               CR185450554
Registrant Name:             Thomas McCaffrey
Registrant Organization:     Real Help Communications, Inc.
Registrant Address1:         3023 Anzac Avenue
Registrant City:             Roslyn
Registrant State/Province:   Pennsylvania
Registrant Postal Code:      19001
Registrant Country:          United States
Registrant Country Code:     US
Registrant Phone Number:     +1.2158872818
Registrant Email:            tom@realhelp.net


They're interesting because these really are the valid contact details for Real Help Communcations, Inc which makes me wonder if their domain account at GoDaddy has been compromised.

A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk.co) , but the host on the IP identifies itself as ukirsgov.com which is a domain created on the same day (2015-01-19) but has been suspended due to invalid WHOIS details (somebody at csc.com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries.

The malware POSTS to garbux.com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF.

Overall, automated analysis tools are not very clear about what this malware does [1] [2] [3] [4] [5] although you can guarantee it is nothing good.

Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk.co
garbux.com
ukirsgov.com
updateimage.ru
getimgdcenter.ru
agensiaentrate.it
freeimagehost.ru




Tuesday 13 January 2015

Malware spam: "john.smith@mail-irs.gov" / "Your tax return was incorrectly filled out"

This fake tax return spam leads to malware:

From: John Smith [mailto:john.smith@mail-irs.gov]
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out


Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely
The link in the email has a format such as:
http://marypageevans.com/taxadmin/get_doc.html
http://laser-support.co.uk/taxadmin/get_doc.html

A journey through some heavily obfuscated javascript follows (see here for a deeper analysis of this sort of attack) which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead.

The .exe file has a VirusTotal detection rate of just 2/57 and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:

http://202.153.35.133:19639/1301us23/HOME/0/51-SP3/0/
http://202.153.35.133:19639/1301us23/HOME/1/0/0/
http://dstkom.com/mandoc/lit23.pdf
http://202.153.35.133:19657/1301us23/HOME/41/7/4/

It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs.gov on your email gateway might help.

Monday 27 January 2014

"Your FED TAX payment" spam

This fake "Tax payment" spam comes with a malicious attachment:

Date:      Mon, 27 Jan 2014 14:24:42 +0100 [08:24:42 EST]
From:      "TaxPro_PTIN@irs.gov" [TaxPro_PTIN@irs.gov]
Subject:      Your FED TAX payment ( ID : 34KIRS821217111 ) was Rejected

*** PLEASE DO NOT RESPOND TO THIS EMAIL ***

Your federal Tax payment (ID: 34KIRS821217111), recently sent from your checking account was returned by the your financial institution.

For more information, please download notification, using your security PIN 55178.

Transaction Number:     34KIRS821217111

Payment Amount:     $ 9712.00

Transaction status:     Rejected

ACH Trace Number:     768339074172506

Transaction Type:     ACH Debit Payment-DDA

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Attached is a file Tax payment.zip which in turn contains a malicious executable Tax payment.exe which has a VirusTotal detection rate of 11/50. Automated analysis by Malwr is inconclusive, other analysis tools are currently down or under DDOS at the moment.

Monday 30 September 2013

IRS "Invalid File Email Reminder" spam / oooole.org

This fake IRS spam leads to malware on oooole.org:

Date:      Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From:      "Fire@irs.gov" [burbleoe9@irs.org]
Subject:      Invalid File Email Reminder

9/30/2013

Valued Transmitter,

We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:

Filename    # of Times
Email Has
Been Sent    Tax
Year
ORIG.62U55.2845    2    2012


If you did not know your file contained invalid data, the results are posted on the FIRE (Filing Information Returns Electronically) System within two business days of your transmission. It is your onus to check your filing results. To view your file results open the page: Check File Status.

If you have sent an acceptable file that you think replaces the above file(s) or if you are uncertain how to resolve the errors in your file(s), please contact the IRS/Information Returns Branch: Please fill in the contact form; 
The link in the email goes through a legitimate hacked site and then redirects through one of the following three scripts:
[donotclick]savingourdogs.com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns.biz/resonators/sunbonnet.js
[donotclick]polamedia.se/augusts/fraudulence.js

The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole.org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains listed in italics below.

Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org

savingourdogs.com
solaropti.manclinux3.ukdns.biz
polamedia.se

Monday 22 July 2013

IRS.gov "Complaint Case #488870383295" spam / Complaint_488870383295.zip

This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.

Date:      Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From:      "IRS.gov" [fraud.dep@irs.gov]
Subject:      Complaint Case #488870383295

You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/

Case Number: 488870383295

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.

The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

2013 Council of IRS, Inc. All Rights Reserved.

Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47.

ThreatExpert and Comodo CAMAS give a little background information, but in this case the Malwr analysis seems to be the most comprehensive and shows traffic out the the following compromised sites:

prospexleads.com
phonebillssuck.com
moneyinmarketing.com
abbeyevents.co.uk
salsaconfuego.com
fales.info

The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed.


Friday 8 March 2013

"Your tax return appeal is declined" / gimilako.ru

This following fake IRS spam leads to malware on gimilako.ru:

From: Myspace [mailto:noreply@message.myspace.com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.

Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.

Internal Revenue Service


Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time). 
The malicious payload is at [donotclick]gimilako.ru:8080/forum/links/column.php (reported here) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru

Friday 15 February 2013

"Cum Avenue" IRS Spam / azsocseclawyer.net

This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer.net:

Date:      Fri, 15 Feb 2013 09:47:25 -0500
From:      Internal Revenue Service [ahabfya196@etax.irs.gov]
Subject:      pecuniary penalty for delay of tax return filling

Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.

Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.

You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.

Please visit official website for more information


Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is at [donotclick]azsocseclawyer.net/detects/necessary_documenting_broadcasts-sensitive.php (report here) hosted on:

77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)

The following domains are currently visible on those IPs are should be regarded as malicious:
albaperu.net
azsocseclawyer.net
derdondetes.com
dressaytam.net
estudienteyo.com
extuderbest.com
madcambodia.net
micropowerboating.net
mochentopen.com
theatreli.net
thedigidares.net


Tuesday 12 February 2013

IRS spam / micropowerboating.net

This fake IRS spam leads to malware on micropowerboating.net:

Date:      Tue, 12 Feb 2013 22:06:55 +0800
From:      Internal Revenue Service [damonfq43@taxes.irs.gov]
Subject:      Income Tax Refund TURNED DOWN

Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.

Please enter official website for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


==============================


Date:      Tue, 12 Feb 2013 15:00:35 +0100
From:      Internal Revenue Service [zirconiumiag0@irs.gov]
Subject:      Income Tax Refund NOT ACCEPTED

Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.

Please browse official site for more information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


==============================

Date:      Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From:      Internal Revenue Service [idealizesmtz@informer.irs.gov]
Subject:      Income Tax Refund TURNED DOWN

Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.

Please enter official site for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time. 

The malicious payload is on [donotclick]micropowerboating.net/detects/pending_details.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating.net 
morepowetradersta.com
asistyapipressta.com
uminteraktifcozumler.com
rebelldagsanet.com
madcambodia.net
acctnmrxm.net
capeinn.net
albaperu.net
live-satellite-view.net

Friday 28 December 2012

IRS Spam / tv-usib.com

This fake IRS spam leads to malware on tv-usib.com:
Date:      Thu, 27 Dec 2012 22:14:44 +0400
From:      Internal Revenue Service [information@irs.gov]
Subject:      Your transaction is not approved

Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.

Canceled Tax transfer
Tax Transaction ID:     3870703170305
Rejection ID     See details in the report below
Federal Tax Transaction Report     tax_report_3870703170305.pdf (Adobe Acrobat Document)

Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib.com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:


sessionid0147239047829578349578239077.pl
tv-usib.com
proxfied.net
timesofnorth.net
latticesoft.net

Monday 19 November 2012

"W-1" spam / 5.chinottoneri.com

This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form or some sort from the US Internal Revenue Service.

From: Administrator [mailto:administrator@victimdomain.com]
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE

To All Employee's:

The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=[redacted].

 Administrator,
http://victimdomaincom
In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri.com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low. I suspect that there are many other malicious sites on this IP, blocking it would be wise.

Wednesday 26 September 2012

IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.


Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net

Thursday 20 September 2012

Federal Tax Payment Spam / soisokdomen.ru

This fake tax payment spam leads to malware on soisokdomen.ru:

Date:      Thu, 20 Sep 2012 09:10:47 -0300
From:      Badoo [noreply@badoo.com]
Subject:      Re: Fwd: Tax Payment COM1684-645 is failed.

Hello,



Your Federal Tax Payment has been rejected.

Please, check the information and refer to Code I 94 to get details about

your company payment:



http://www.eftps.gov/section794/P9367027



JACINTA Stout,

The Electronic Federal Tax Payment System
The malicious payload (probably Blackhole 2) is at [donotclick]soisokdomen.ru:8080/forum/links/column.php hosted on the following familiar looking IP addresses:

213.135.42.98
50.56.92.47
203.80.16.81


Blocking these would be prudent.



Tuesday 18 September 2012

IRS spam / xlzones.com

More IRS themed spam, this time leading to malware on xlzones.com:

From: Internal Revenue Service [mailto:papillaq9@wonderware.com]
Sent: 18 September 2012 15:22
Subject: Your IRS federal tax payment has not been accepted
Importance: High


Your Federal Tax transaction (ID: 1550573369185), recently sent from your bank account was returned by The Electronic Federal Tax Payment System.
Not Accepted Tax transfer
Tax Transaction ID:     1550573369185
Reason ID    See details in the report below
Income Tax Transaction Report    tax_report_1550573369185.doc (Microsoft Word Document)

Internal Revenue Service P.O. Box 996 Davis 99627 NY 

The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com

Monday 17 September 2012

IRS Spam / virtual-geocaching.net

This spam leads to malware on virtual-geocaching.net:

Date:      Mon, 17 Sep 2012 11:28:14 -0600
From:      Internal Revenue Service [tangierss4@porterorlin.com]
Subject:      IRS report of not approved tax transfer

Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.

Not Accepted Tax transaction
Tax Transaction ID:     30062091798009
Reason of rejection     See details in the report below
Federal Tax Transaction Report     tax_report_30062091798009.doc (Microsoft Word Document)

Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA 
The malicious payload is at [donotclick]virtual-geocaching.net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others.

IRS spam / thebummwrap.net

This fake IRS spam leads to malware on thebummwrap.net:

From: Internal Revenue Service [mailto:fascinatesh07@deltamar.net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted


Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID:     60498447771657
Rejection code    See details in the report below
Income Tax Transaction Report    tax_report_60498447771657.doc (Microsoft Word Document)

Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI


The malicious payload is at [donotclick]thebummwrap.net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes.

At the moment, the following sites seem to be active on the server, all can be assumed to be malicious.

thebummwrap.net
centennialfield.net
blue-lotusgrove.net
afgreenwich.net
bode-sales.net
cat-mails.net
nitor-solutions.net

Monday 27 August 2012

"Federal Tax Payment" spam / videomanipulationccflbacklit.pro

This spam attempts to load malware from videomanipulationccflbacklit.pro although at the moment the domain is not resolving:

Date:      Mon, 27 Aug 2012 18:15:37 +0300
From:      "Internal Revenue Service" [irs@service.govdelivery.com]
Subject:      Federal Tax transaction canceled

Your Tax transaction (ID: 849395748011), recently sent from your checking account was canceled by the your financial institution.

Rejected Tax transfer
Tax Transaction ID:     849395748011
Return Reason     See details in the report below
FederalTax Transaction Report     tax_report_849395748011.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========

Date:      Mon, 27 Aug 2012 16:41:45 +0200
From:      "Internal Revenue Service" [irs@service.govdelivery.com]
Subject:      Rejected Federal Tax payment

Your Tax transaction (ID: 13394702616857), recently initiated from your bank account was returned by the your Bank.

Rejected Tax transfer
Tax Transaction ID:     13394702616857
Reason for rejection     See details in the report below
Tax Transaction Report     tax_report_13394702616857.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========


Date:      Mon, 27 Aug 2012 16:41:35 +0200
From:      "Internal Revenue Service" [support@govdelivery.com]
Subject:      Federal Tax payment canceled

Your Tax transaction (ID: 7227784606474), recently initiated from your bank account was returned by the The Electronic Federal Tax Payment System.

Rejected Tax transfer
Tax Transaction ID:     7227784606474
Reason for rejection     See details in the report below
FederalTax Transaction Report     tax_report_7227784606474.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

I've seen a few .pro domains in spam recently, but they seem to get shut down quite quickly. I thought this TLD was meant to have more careful vetting?

Tuesday 14 August 2012

"Federal Tax" spam / wireframeglee.info

This tax-themed spam leads to malware on wireframeglee.info:


Date:      Tue, 14 Aug 2012 15:21:33 +0200
From:      "Internal Revenue Service" [alerts@irs.gov]
Subject:      Rejected Federal Tax transfer

Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.

Rejected Tax transaction
Tax Transaction ID:     38969777924999
Return Reason     See details in the report below
Tax Transaction Report     tax_report_38969777924999.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========

Date:      Tue, 14 Aug 2012 13:31:21 +0000
From:      "Internal Revenue Service" [support@irs.gov]
Subject:      Federal Tax payment canceled

Your federal Tax payment (ID: 903463682456), recently from your bank account was rejected by the your financial institution.

Rejected Tax transfer
Tax Transaction ID:     903463682456
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_903463682456.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========


Date:      Tue, 14 Aug 2012 14:42:19 +0200
From:      "Internal Revenue Service" [noreply@irs.gov]
Subject:      Your Federal Tax transaction

Your Tax transaction (ID: 80110764248536), recently initiated from your checking account was returned by the your Bank.

Canceled Tax transaction
Tax Transaction ID:     80110764248536
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_80110764248536.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

The malicious payload is at [donotclick]wireframeglee.info/main.php?page=39630332cf486f5a (report here) hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can.

Thursday 26 July 2012

"Federal Tax transfer" spam / retweetadministrator.org

These fake "Federal Tax Transfer" spams lead to malware on retweetadministrator.org:


Date:      Thu, 26 Jul 2012 20:56:10 +0530
From:      "Internal Revenue Service" [alerts@irs.gov]
Subject:      Federal Tax transfer returned

Your federal Tax payment (ID: 632004160993), recently from your checking account was rejected by the your financial institution.

Canceled Tax transfer
Tax Transaction ID:     632004160993
Rejection Reason     See details in the report below
Tax Transaction Report     tax_report_632004160993.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785


==========

Date:      Thu, 26 Jul 2012 20:55:41 +0530
From:      "Internal Revenue Service" [support@irs.gov]
Subject:      Rejected Federal Tax transaction

Your Tax payment (ID: 766644379032), recently initiated from your checking account was rejected by the your financial institution.

Rejected Tax transfer
Tax Transaction ID:     766644379032
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_766644379032.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========

Date:      Thu, 26 Jul 2012 12:00:54 -0300
From:      "Internal Revenue Service" [support@irs.gov]
Subject:      Rejected Federal Tax transfer

Your federal Tax payment (ID: 776394251906), recently from your checking account was returned by the your financial institution.

Canceled Tax transfer
Tax Transaction ID:     776394251906
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_776394251906.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785


The malicious payload is on [donotclick]retweetadministrator.org/main.php?page=8b45f871830c6e5a (report here) hosted on 89.253.231.202 (Rusonyx Ltd, Moscow).

Wednesday 14 March 2012

INTUIT / IRS malicious spam and georgekinsman.net

There are two parallel spam campaigns running right not, one in the "Intuit.com invoice" form, one in the "IRS Tax Appeal form".

Both spams lead to a malicious page at georgekinsman.net/main.php?page=c9a5e6d306c55c68 (report here) hosted on the very familiar IP address of 41.64.21.71. Block it if you haven't already.