Fake IRS Notifications

Sean-Paul Correll — Mon, 28 Sep 2009 21:45:00 GMT

Fake IRS notification e-mails have been in circulation on the Internet over the past few weeks. We've monitored the situation closely and have observed 30 active domain names currently spreading the Zeus trojan affiliated with the spam campaign, as well as 300 links used in the attack over the past month. The e-mail arrives as a notice of unreported income and directs the victim to click on a link (E.g. www.irs.gov.malwaredomain.com). When clicked, the victim arrives at website designed to look like an official IRS page.

The website attempts to legitimize itself by referencing the receivers name in the Taxpayer ID field and in the download link. Once the malware is accessed, the zeus trojan is silently installed on the victim’s computer and begins to intercept communication with banking sites in order to facilitate financial fraud.

Rogue ScanVirus site impersonates SaaS Anti-Virus

Sean-Paul Correll — Tue, 03 Feb 2009 13:23:00 GMT

Today we discovered a new site using an interesting tactic to trick users into infecting themselves with malware. This time the cyber-criminals opted to pretend to be a Software as a Service (SaaS) Anti-Virus solution.

The "Scan Virus" website uses several legitimate Anti-Malware logos and badges in order to gain the victims confidence. Immediately upon loading the site a fake scan will begin and shortly after that the site will prompt the user to download a file called AntiVir.exe, which we detect as Adware/Antivirus2009. The site attempts to scare users by displaying images such as, "Your PC is infected! Sorry, standard programs cannot disinfect your PC now", and "DOWNLOAD PATCH to fix this problem"

PandaLabs : Trojan

Fake IRS Notifications

Rogue ScanVirus site impersonates SaaS Anti-Virus