Security Corner

Sep 29 2009   12:58AM GMT

New IRS Scam and It Could Cost You More Than Taxes!

Ken Harthun Ken Harthun Profile: Ken Harthun

You usually see this around tax season, but it seems the cyber-crooks have figured out that fear of the IRS is an evergreen topic.

US-CERT is aware of public reports of malicious code circulating via spam email messages related to the IRS. The attacks arrive via an unsolicited email message and may contain a subject line of “Notice of Underreported  Income.” These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.

The Zeus Trojan is a keylogger that steals sensitive data, especially targeting online banking credentials. According to “New IRS Scam E-mail Could Be Costly”, in Brian Krebs’ Security Fix column, Landfill Service Corp. (LSC), a solid waste company based in Apalachin, NY is a recent victim of the Trojan. The firm may end up losing at least $92,000 from the incident. Not good.

The Zeus keystroke logging Trojan’s engine is a file called “sdra64.exe.” At least that’s what LSC’s tech guy found (Variations are sure to surface).

Rather than repeat it in my own words, here’s the US-CERT list of recommendations:

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Mwoodsophosinc
    Just to add to the list of potential compromised file names, previous versions of the Zeus Trojan have used names including: [ULIST] [ELEMENT]ntos.exe[/ELEMENT] [ELEMENT]oembios.exe[/ELEMENT] [ELEMENT]twext.exe[/ELEMENT] [/ULIST] The latest variant uses the name "sdra64.exe". These EXE files typically appear in the C:WINDOWSsystem32 directory.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: