Tax Return Virus Perfectly Timed
Cybercriminals are always eager to exploit any angle possible when it serves their interests and helps them to spread their malware to as many individual’s computers as possible. Today we are seeing a Malware campaign that is at the very least well timed and fairly well crafted.
The messages we are seeing, claim to be from the IRS and state that “Your Federal Tax Payment has been rejected”. The message contains an attachment that you are asked to open for more information. The attachments contains an .exe file that if run will infect your computer instantly. Under preliminary analysis the infection has been identified as a variant of the Zeus Trojan. At 9am CST only 1 of 41 AV engines are able to identify the attachment as malicious software. Here is a look at the message:
Messages claiming to be from the IRS are nothing new but this is perhaps the most uniquely well timed attack that we have seen. Since the U.S. government waited until the last minute to extend tax cuts at the end of 2010, the IRS was unable to accept millions of tax returns until just yesterday. Every individual claiming certain deductions and using tax software to e-file their return would have had their tax return held by the tax preparation company (TurboTax, Taxact, H&R Block, etc..) until Feb. 14th ,then sent automatically, when the IRS would be ready to accept these returns. Most of these individuals would have received an email yesterday stating that their tax return has been “sent” to the IRS and that they would receive another email confirmation once the return had been “accepted” by the IRS. In other words… Millions of Americans are likely expecting to hear whether or not their tax return has been accepted or rejected via email within the next 48 hour period, so this attack could really not be better timed. Of course the legitimate email will come from the Tax Preparation Company that you used to file and not from the IRS directly. The IRS does not ask for personal identifying or financial information via unsolicited e-mail.