The latest IRS-themed spam campaign carries a deadly attachment – a variant of the infamous Zeus Trojan, warns Appriver.
The e-mail, purportedly coming from the Internal Revenue Service, contains a warning:
“Urgent Report! Your Federal Tax Payment ID: XXXXXXXXXX has been rejected.
Return Reason Code R21 – The identification number used in the Company Identification Field is not valid.
Please, check the attached information and refer to Code R21 to get details about your company payment in transaction contacts section.”
Both the subject line and the e-mail text use a random combination of digits when referencing the notice and payment ID. The attached IRS-TAX-Notification-printing-form-SNXXXXXXXX.zip file contains a Zeus variant that had an extremely low detection rate on VirusTotal when AppRiver first spotted the e-mail yesterday – only one of the 41 solutions used managed to recognize the file for what it was.
“Since the U.S. government waited until the last minute to extend tax cuts at the end of 2010, the IRS was unable to accept millions of tax returns until just yesterday,” points out Troy Gill. “Millions of Americans are likely expecting to hear whether or not their tax return has been accepted or rejected via email within the next 48 hour period, so this attack could really not be better timed.”
“Of course the legitimate email will come from the Tax Preparation Company that you used to file and not from the IRS directly,” he says, but people are likely to overlook this small discrepancy if not very careful.