Bogus emails supposedly coming from the US Internal Revenue Service (IRS), informing users that their “tax transaction” has been cancelled and trying to get them to follow a malicious link, have been spotted hitting inboxes around the world.
While individuals not living in the US are unlikely to fall for the scam for obvious reasons, some US citizens might be alarmed by the message and follow the link, which will take them to a bogus “Page loading-Â¦” page, hosted on a variety of compromised hosts:
The bad news is that the java script that redirects the victims to one of the pages serving the Blackhole exploit kit is currently detected by only 8 of the 41 AV solutions used by VirusTotal.
The good news is that once the kit exploits one of the two software flaws it is designed to, the assortment of malware dropped on the system – the Cridex Trojan among them – is detected by at least half of those solutions.
Unfortunately, those users who don’t use an AV solution – or the right one – are still heavily at risk.
Upon execution, the samples phone back to an IP address that has previously been used in a number of spam campaigns and, according to Webroot, leads to a number of malicious domains and C&C servers.