Zeus trojan disguises itself as the tax man

The fraudulent email warned consumers that their tax payments had been rejected by the IRS and directed them to a website that was part of a large Zeus botnet. The site infected the computer and then redirected the user to the IRS’s legitimate electronic federal tax payment system (EFTPS) site. The user would type sensitive information into the EFTPS fields, while the keylogging malware on the computer recorded all of the information that was typed.

The IRS issued an Oct. 15 warning about the tax fraud scheme.

“Consumers should be aware of a scam in which recipients receive an e-mail that claims to come from the Electronic Federal Tax Payment System. The e-mail states that tax payments made by the e-mail recipient through EFTPS have been rejected. The e-mail then directs recipients to a bogus website containing malicious software (malware) that infects the intended victim’s computer. To avoid the bogus website and malware, do not click on any links, open any attachments or reply to the sender for any e-mail you may receive that claims to come from EFTPS.”

The IRS stressed that it does not communicate payment information via email.

Solera Networks said its researchers discovered the Zeus trojan after investigating a zero-day attack at one of its customer’s site.

“We discovered this in the course of an unrelated investigation of an enterprise company that we had been working with in response to an incidence they recently had. The common factor between the two of them was one of the vectors of attack – a vulnerability in Java engines that are deployed on most desktops today. Everything except the most current version of the Java engine is vulnerable to attacks against the sound subsystem within the Java virtual machine”, explained Joe Levy, chief technical officer at Solera Networks. In addition to the Java engine, the attacks can also exploit PDF software.

Levy told Infosecurity that the initial wave of the scam involved Zeus botnet websites in Russia. But many of those websites have been shutdown. The second wave, which started Oct. 15, involves websites with dot com addresses using a different registrar.

“Through an arbitrary code injection attack, [the website] delivers the Zeus botnet executable down to the target machine. Once [the malware] is installed, that is the keylogger and the Zeus botnet client. That begins to log all of the local keystrokes on the machine, and it also makes the contact to the Zeus command and control servers”, he said.

“All of this happens in the blink of an eye. So you follow the link. You are redirected off to one of the exploit sites; the exploit sites deliver some method of exploitation….After the infection occurs, it redirects the user to an actual dot gov site. So the ultimate destination of the victims, if they click on that link, is going to be a legitimate site….At this point, they have already been infected and the keystroke logger collects all of the sensitive and valuable information that they are providing to the site”, Levy explained.

Blocking this type of attack is difficult because there is usually a window during which cybercriminals are able to exploit a vulnerability before a vendor can update its software, explained Pete Schlampp, Solera Networks’ vice president of marketing and product development. “As [cyber criminals] continue to evolve, there is always going to be this window of exposure, and it is this window of exposure that they rely on to sneak in behind the set of defense that might be in place,” he said.

What’s Hot on Infosecurity Magazine?