New Zeus Attack Preys On Quarterly Federal Taxpayers

Massive spam campaign poses as alerts that electronic federal tax payments have failed, then infects and sends victims to the legitimate Treasury Department website for filing quarterly taxes

Dark Reading Staff, Dark Reading

October 16, 2010

3 Min Read
Dark Reading logo in a gray background | Dark Reading

A widespread spam campaign that began several days ago started spiking today, Oct. 15 -- quarterly tax payment deadline day in the U.S.: The Zeus-laden attack poses as an alert from the government's electronic tax payment system, telling recipients that their payment was rejected and sending them to a link that both infects them and redirects them to the legitimate electronic federal tax payment system website, eftps.gov.

Researchers at Solera Networks say they first discovered the Zeus tie-in with the spam run -- which features high volumes of spam emails with subject lines such as, "LAST NOTICE: Your Federal Tax Payment has been rejected in the system" -- during the past 24 hours after they had been investigating a zero-day attack at one of their customer's sites. They say they were struck both by the volume of the spam run and the layered method of the attack.

"Late last night we were able to put the pieces of information together that showed this was very interesting," says Peter Schlampp, vice president of marketing and product management for Solera Networks. "The call to action on this campaign is to click on the link, which says eftps.gov, but in the background is a different URL. It has several redirects and attempts to exploit your system. If successful, it gets you to the eftps.gov website, and with a keylogger installed all the information you [input there] gets sent to [the attacker] as well as the system, and you become part of the botnet."

The attack uses Zeus Version 2, according to Solera, and is one of the biggest spam campaigns Solera has ever seen.

As of this afternoon, Cisco Systems witnessed a sudden, dramatic drop in the attack after it had basically peaked this morning, when it accounted for about 34 percent of all spam found by Cisco. But the decrease could only be temporary, experts say. Henry Stern, senior security researcher at Cisco, says it could be a result of someone taking down the malware-spreading site.

As of 10 a.m. Eastern, the Zeus spam attack made up 20 percent of the spam detected by Solera Networks.

Joe Levy, CTO of Solera, says the attack came from domains registered in Russia and was staged in two waves. "There are eight or nine domains that have been blackholed already. The second wave hit this morning -- some of the language had changed and [typos were fixed]. The domain is registered now as .com and no longer as .ru."

While it's a typical wide-net spam run, the attackers appear to be targeting mostly small to midsize businesses that electronically file their quarterly taxes, he says. The attack drops either a Java v 18 exploit or an Adobe PDF one, he says, depending on which one the victim's machine is vulnerable to. "It evaluates your OS and determines the best attack, and then redirects you to a page that delivers the payload exploit," he says. It then downloads a keylogger and the Zbot malware to the victim machine. The keylogger grabs any information the victim types into the real tax website, and the Zbot malware makes the machine turn around and spam other potential victims in the same attack.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights