Security Corner

Sep 29 2009   12:58AM GMT

New IRS Scam and It Could Cost You More Than Taxes!



Posted by: Ken Harthun
Tags:
data stealer
E-mail scam
IRS Phishing
keylogger
Security
Social Engineering
Trojan

You usually see this around tax season, but it seems the cyber-crooks have figured out that fear of the IRS is an evergreen topic.

US-CERT is aware of public reports of malicious code circulating via spam email messages related to the IRS. The attacks arrive via an unsolicited email message and may contain a subject line of “Notice of Underreported  Income.” These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.

The Zeus Trojan is a keylogger that steals sensitive data, especially targeting online banking credentials. According to “New IRS Scam E-mail Could Be Costly”, in Brian Krebs’ Security Fix column, Landfill Service Corp. (LSC), a solid waste company based in Apalachin, NY is a recent victim of the Trojan. The firm may end up losing at least $92,000 from the incident. Not good.

The Zeus keystroke logging Trojan’s engine is a file called “sdra64.exe.” At least that’s what LSC’s tech guy found (Variations are sure to surface).

Rather than repeat it in my own words, here’s the US-CERT list of recommendations:

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Mwoodsophosinc
    Just to add to the list of potential compromised file names, previous versions of the Zeus Trojan have used names including: [ULIST] [ELEMENT]ntos.exe[/ELEMENT] [ELEMENT]oembios.exe[/ELEMENT] [ELEMENT]twext.exe[/ELEMENT] [/ULIST] The latest variant uses the name "sdra64.exe". These EXE files typically appear in the C:WINDOWSsystem32 directory.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: