Webroot reports tax return malware-infecting email scam reaching the UK

In a blog posting, Andrew Brandt, one of Webroot's threat analysts, said that, for several months now, Webroot has been seeing spam and phishing websites which purport to be IRS notifications of delinquent non-payment of income taxes.

"Who can blame the fraudsters - almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue", he said.

With the income tax paper filing deadline of 31 October in the UK fast approaching, Brandt said it is inevitable that we would see this successful phishing routine repeated elsewhere - "and, probably, again as we get closer to the UK's electronic tax filing deadline, at the end of January", he noted.

The malware-infected phishing attempt begins, he said, with an email message warning users that they are about to incur penalties for `unreported/underreported income'.

"In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions."

"The email links to a formal-looking web page, which contains the officious message: `Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement'."

The linked file, the Webroot threat analyst noted, is not a tax statement, but a piece of malware - about 90 kilobytes large - that infects the users' PC.

The malware is Prograv - aka Zbot - and is, said Brandt, a prolific, if generic, trojan infection backdoors in use today.

"That was in evidence when we looked at some of the strings in this particular trojan sample, and found references to the trojan's ability to steal login secrets for Bank of America - a bank that doesn't have a particularly large following (or customer base) in the UK", he said.

According to Brandt, victims who fall for this phishing trick should run a full scan of their hard drive, and change the passwords of any email service or website they have logged into since downloading and running the tax-statement.exe file.

What’s hot on Infosecurity Magazine?