Sponsored by..

Monday 30 September 2013

IRS "Invalid File Email Reminder" spam / oooole.org

This fake IRS spam leads to malware on oooole.org:

Date:      Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From:      "Fire@irs.gov" [burbleoe9@irs.org]
Subject:      Invalid File Email Reminder

9/30/2013

Valued Transmitter,

We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:

Filename    # of Times
Email Has
Been Sent    Tax
Year
ORIG.62U55.2845    2    2012


If you did not know your file contained invalid data, the results are posted on the FIRE (Filing Information Returns Electronically) System within two business days of your transmission. It is your onus to check your filing results. To view your file results open the page: Check File Status.

If you have sent an acceptable file that you think replaces the above file(s) or if you are uncertain how to resolve the errors in your file(s), please contact the IRS/Information Returns Branch: Please fill in the contact form; 
The link in the email goes through a legitimate hacked site and then redirects through one of the following three scripts:
[donotclick]savingourdogs.com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns.biz/resonators/sunbonnet.js
[donotclick]polamedia.se/augusts/fraudulence.js

The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole.org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains listed in italics below.

Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org

savingourdogs.com
solaropti.manclinux3.ukdns.biz
polamedia.se

No comments: