August 4, 2010

2010 Tax-Themed Malicious Emails


Websense Security Labs™ ThreatSeeker™ Network has detected a wave of tax-themed malicious email.  While the tax theme in spam email is common all year round, it is interesting to see the different strategies malicious authors use in their campaigns.


We have seen reports last June about email with the subject "Notice of Underreported Income".  Today, we have seen a couple of email having the same subject but with different attack strategies.

The first sample below uses a malicious link just like those distributed earlier.  Unlike earlier malicious email, which redirects to a fake IRS site that instructs the user to download a malicious file (tax-statement.exe), this link saves the  victim a couple of clicks by prompting to download a file (adobe_flash_install.exe) immediately without going to a fake IRS site.

Payload :


The second sample below is more aggressive in that the malicious zip [MD5:dfbb95730b2377cccf8372107bdef503] is attached in the email.  It is recognized by 1/42 AV engines via VirusTotal.


In addition to these, we are seeing malicious email with the subject “You are in a higher tax bracket”.  It also has a malicious zip [MD5: 3b9c60c761734fcd4ac7a753c93ec5d1] attached to it and is recognized by 1/42 AV engines via VirusTotal.

 Websense® Messaging and Websense Web Security customers are protected against this attack.




Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.