Malware City/Blog/

Jan
15
Filed Under:
ALERTS

Fake HMRC Notice of Underreported Income

15 January 2010
Nothing is certain but death, taxes and… malware – now also available in UK

Several months ago I wrote an alert about cybercriminals targeting US taxpayers who were supposed to e-file their previous year tax return. As the Self Assessment Tax Return and Pension Schemes Filing deadline are knocking at the doors of the UK taxpayers, it looks like the malware dissemination scheme simply crossed the ocean and start endangering the unsuspecting subjects of Her Majesty.

The unsolicited message used as bait - which requires the users to review their underreported income statement - is identical with the one previously used to deceive IRS recipients, as you can see below:

HMRC

The alleged customized link does not lead towards Her Majesty Revenue & Customs' Web site, but to Web page (registered on a Tuvalu islands - .tv - domain), which mimics a personalized download location, employing several visual identification elements of the original site (registered on gov.uk domain), such as the logo, header or formatting elements.

HMRC

The page also provides a link of a purported tax statement that the user should download and execute. However, upon clicking the user does not receive an e-form, but a cocktail of malicious payloads, employed earlier this week in another malware campaign using Microsoft® Office® Outlook Web Access as bait.

Trojan.SWF.Dropper.E and Exploit.HTML.Agent.AM are the undisputable stars this week. This could also explain why infection rates of these two malware breeds suddenly rocketed.

Trojan.SWF.Dropper.E is a generic detection name for a family of Trojans sharing a similar behavior - they are Flash files, which usually don't display any relevant images/animations, but drop and execute various malware files (by exploiting Adobe Shockwave Flash vulnerability). The dropped files may be subject to change (different variants can drop and execute different malware programs). Top most inflicted countries between January 1st and January 13th are: US (13%), Spain (11%), France and Romania (each with 9%), Canada (5%), UK, Australia, Germany and Thailand (each with 3%).

Exploit.HTML.Agent.AM uses flash-object vulnerabilities that allow arbitrary code execution by loading a specially crafted flash object into a Web page. Once an infected Web page is opened, the Trojan creates a specially crafted SWF object which allows the execution of a payload into the heap (the downloaded file was detected as Trojan.Spy.ZBot.EKG).

To protect your systems and data and avoid becoming a victim of the on-line tax frauds, follow the ten security tips below:

  • install and activate a reliable antimalware, firewall solution and spam filter, such as those provided by BitDefender.
  • update your antimalware, firewall and spam filter as frequent as possible, with the latest virus definitions and suspicious applications/files signatures.
  • scan your system frequently.
  • check on a regular basis with your operating system provider - download and install the latest security updates and malicious removal tools, as well as other patches or fixes.
  • do not open e-mails and e-mail attachments from senders you do not know, especially when containing Tax-related text in the Subject line.
  • do not respond by submitting any personal information (such as user names and passwords, social security number, bank account or credit card numbers) to any alleged e-mail requests from the IRS or tax preparation companies. These organizations usually do not send general e-mails (addressed to a "Dear taxpayer"), but customized printed notification forms (including your full name, as well as other unique identification details) through a regular postal service. If you have any doubt about an e-mail you received from such organization, contact them immediately.
  • do not click any links contained in the spam e-mails, including the "unsubscribe" ones; you might trigger other malware and compromise your system's security.
  • when sending sensitive data on-line, ensure that the recipient Web site uses SSL encryption (Secure Socket Layer) and security authentication methods - look for the "https" prefix and the locked padlock.
  • if you are requested to accept a certificate for the session, check that the name on the certificate matches the name of the institution you wish to deal with and that the certificate is signed by a known Certificate Authority before accepting it.
  • if you have any suspicions, do not hesitate to contact the authorities:
  • HM Revenue & Customs
  • Police Central e-Crime Unit
  • Serious Organised Crime Agency

 





By Razvan Livintz
Balancing the keen and until late in night reading, with Internet "addiction", the genuine zeal for my bright and fervid students with the craze for the latest discoveries in science and technology, I also enjoy taking not very usual ...

Related

14-01-2010 | The campaign using Microsoft® Office® Outlook Web Access name boosts the infection rates

13-01-2010 | New PayPal Phishing Scam Exposed

13-01-2010 | ZBot infections skyrocket fraudulently using Microsoft® Office® Outlook Web Access name

12-01-2010 | Phishing season starts in UK

Comments:

USB extension cable said on Aug-8-2011 05:41

Thank you very much for the heads up, Razvan. Here, in case readers can find it useful, some additional information on Trojan.SWF.Dropper.E: http://www.computerworld.com.au/article/332659/new_trojan_malware_cocktail_targets_microsoft_outlook_web_access_users/

Comment on this

Name:

Email:

Website:

Your email adress will not be published.