Underreported Taxes:The British Invasion

Back on September 9th we began seeing an IRS themed malware distributing email campaign that played on people’s innate fear of everything IRS. Messages with the subject line "Notice of Underreported Income" were coming in mass quantities. Most often when we see a campaign invoking the IRS it is a phishing message that tries to trick you into giving out your personal financial information. This one was different as it was attempting to deliver a malicious payload to the unsuspecting user. A more detailed account of this IRS malware campaign can be found here in my colleagues September blog entry. The IRS malware campaign continued for over one month until yesterday when it changed. Here is an example of one of the landing pages from the IRS campaign.

Yesterday, we began seeing the very same campaign shift their strategy and point their attack at our friends “across the pond”. The new variant of these messages target her majesty’s loyal subjects via the HMRC. They use the exact same technique to the “T” as far as the message goes, simply replacing the IRS with the HMRC. The landing pages of course look exactly like the page would, if it actually existed on the HMRC website. If you follow their instructions and click the link provided, you are promted to run an executable file aptly named “tax-statement.exe”. This file contains [Trojan-Spy.Win32.Zbot.gen] an infection that carries a very high threat level. This infection will not only attempt to log and steal all of your personal information (logins, passwords, credit card info, mail server access codes, etc.) but it does not stop there. It also opens gateways for other malware to make its way onto your machine, most reportedly, rogue anti-virus programs (Scareware). This piece of malware has also proved very tricky to remove. Here is an example of the current message and landing page: