Tax-themed spam email leads to malware

Cyber criminals are becoming increasingly adept at turning out legitimate-looking spam emails, making sometimes even more experience users fall for the various scams.

SANS Internet Storm Center handler Manuel Santander warns about an email supposedly sent by the market customer service of Intuit, an American software company that develops widely-used financial and tax preparation software and offers related services:

The email does seem pretty legitimate, but positioning the mouse over one of the offered links shows that the user will be taken to a website that does not seem like it belongs to the company.

Once the users follow the link, they are redirected by an obfuscated Javascript and an iframe to another website, where they are told to wait while their order is being loaded.

In the meantime, another malicious Javascript tries to determine which navigator is running the system and which Adobe Flash and Adobe Reader versions are installed on the computer, and finally executes a shellcode whose aim is to download a specific DLL file onto the computer.

It then injects itself into explorer.exe and hooks into another DLL fine, and finally reports back to a Russian domain which resolves a number of IP addresses. The websites on these IP addresses are thematically not connected but, if we judge by another recent Intuit-themed spam campaign, are likely to be compromised and hosting an exploit kit that leads to malware.

The US tax season ends on April 17. Until then, users are advised to be especially careful when reviewing tax-themed emails that manage to make their way into their inboxes.