US taxpayers beware

Cybercriminals targeting US taxpayers have launched a second wave of phony “tax payment rejected” emails. The first major outbreak started around June 21st. As before the emails warn recipients that their tax payments, submitted via the IRS’s electronic payment system, have been rejected. To understand why, recipients are provided with a link to a “self extracting” Adobe PDF file. This file is malware. 

The attacks are working; recipients are opening the malware. How do we know?

  • The new attack is identical to that launched 2 weeks ago – this replication means that the “open rate” was good for the first round.
  • Numerous recipients have complained when the emails have been quarantined or placed in “junk mail” folders, believing that the emails are genuine and that they have been incrorrectly labelled as spam.
  • A further 1000 new domains have been created to host the malware (in the previous attack the number exceeded 2500).

The warnings on the IRS site (and numerous existing blog posts and articles) describe fake emails from the IRS and describe them as phishing attacks. These have taken place for a few years. The attacks of the last few weeks however are malware related – not phishing attacks. The installed malware has a much broader threat potential then phishing aimed at a particular organization.

Email text:

Your federal Tax payment (ID: ---), recently initiated from your checking account
 was rejected by the The Electronic Federal Tax Payment System. 
Rejected Tax transfer
Tax Transaction ID:                 -----
Rejection Reason                     See details in the report below 
Tax Transaction Report tax_report_-----.pdf.exe (self-extracting archive, Adobe PDF) 
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785