Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Soon to come: IRS Spam

Published: 2007-10-30
Last Updated: 2007-10-30 20:46:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Our friends at iDefense/Verisign shared a template with us for a new IRS phishing e-mail which they expect to be mail out soon (today). The template looks like it will be sent as a multipart mime encoded email with plain text and html part.

The '%' keywords in the template will be replaced with customized content. Expect URL like this to be used:
http://ads.tvfly.com/banner/.error_log/b.php

note that the directory starts with a '.' in order to hide it on compromised unix systems. Another common directory name is '.bbb'. file names to expect are b.php, kit.zip, update.exe

 

Here is the top part of the template:

From=IRS e-file <efilesubmission@irsefile.gov>
Reply-To=IRS e-file <efilesubmission@irsefile.gov>
Subject=Known e-file Issues and Solutions (2007 tax year), for %comp%!
%TEXT_TEMPLATE_DELIMITER%

Binary Attachments

___________________


It has come to the attention of the IRS Modernized e-File office that
some transmitters/software developers/return originators are creating
binary files incorrectly. In some instances, the IRS was unable to
display the PDF document because of improper formatting.
Effective immediately, please ensure that binary attachments are created
according to the PDF standards in this correspondence.
The internal identifier (first five bytes of the file) must be the
standard PDF identifier, "%PDF-".
Please download the correct PDF form for your business needs here:

%link%

 

 

Keywords:
0 comment(s)
Diary Archives