IRS Tax Avoidance Scam

Written by

Today, eSoft is alerting customers to a new targeted email scam. This newest twist to the common IRS email scam seems to be targeted to organizations, notifying the recipient of a tax evasion complaint being filed against the company. Opening the file infects the user's machine with dangerous trojans that monitor the infected machine, report back to the attacker and download other malicious payloads.

An example of the fraudulent email is below, which prompts the user to open "balance report" attachment.  Because the attachment appears to be a Word file, most users will readily trust the file and proceed to open the file to find out more.

The file is actually in Rich Text Format (RTF) and contains a hidden executable. Upon opening the file, an error is reported and the user is asked to double click to restart Word. Doing so will open the executable as shown below, with most unsuspecting users allowing the malicious file to run.


 Two processes are started and added to Windows startup to run on subsequent boots, microsoft.exe and wks.exe. These processes send data back to the attacker using HTTP connections to their call home destination. eSoft is flagging these sites as Malicious to protect any victims of this attack.

These call home destinations are even disguised as a Google search page to evade detection by web filtering companies and automated systems, which may detect the site as a search engine.



At the time of writing, Virus Total reports only a 25% detection rate on the most recent samples.

Users should be very cautious with any unsolicited emails, particularly those containing an attachment. The IRS will never email you if they need to contact you, and any emails appearing to come from them are very likely malicous scams. As noted on the IRS website, "The IRS does not initiate taxpayer communications through email."

What’s hot on Infosecurity Magazine?