Jun 3, 2008 : Whaling Scam Uses Tax Alert as Bait

📅 June 3, 2008 - A new whaling scam -- a large-scaled phishing scam -- is using a fraudulent US Tax Court notification email that targets executives for financial gain.


The scam has already managed to foil 600 victims, according to Internet security firm SecureWorks (secureworks.com).

The phishing emails are believed to be the work of a Chinese hacker who was behind many attacks earlier this year against C-level executives. The previous attacks are alleged to be in the form of an email warning of legal action from a federal court or the Internal Revenue Service, and contain a link in the body of the email to download documents.

The recent attack, on the other hand, claims to be from the US Tax Court, where downloading the fake document automatically installs spyware posing as an Adobe Acrobat ActiveX control.

The installation of the spyware is aided by downloading a root certificate from a fake certificate authority using the VeriSign (verisign.com) Trust Network name, says SecureWorks, who adds that "if the certificate authority is successfully loaded onto the victim's computer, the hacker can more easily re-infect the computer because it will automatically trust the hacker's code."

The spyware, which looks for client certificates to acquire financial accounts, passwords and account information, is known and can be spotted by many antivirus engines. Installing the certificate can also prompt many warnings in the browser that request the user to authorize installation.

The email also deploys various social-engineering tactics to gain the victim's trust, such as addressing it to a specific individual, as well as including information that is harvested from private databases that are not typically considered public knowledge, such as a direct telephone number and title. However, SecureWorks says that there are some red flags when it comes to spotting the phishing attacks. For instance, the emails are addressed from the "United State Tax Court," with an "s" missing at the end of State. Another sign is the URL in the link to download the fake document reads "ustax-courts.com" instead of .gov.

Don Jackson, director of threat intelligence for SecureWorks, believes that the hackers used the .com domain to prevent any replies going back to legitimate Tax Court servers and subsequently warning them of the scam.  The malware is hosted by a URL that is diected to an address hosted on a server administered by China Network Communication Group in Beijing. The type of Chinese characters used to sign the executable code reveals the sender is likely from Taiwan or Hong Kong, and not the mainland, Jackson said.

The author of the attacks must also be knowledgeable enough about the US court system to create something that both looks and sounds like an official document, despite the apparent typos. The VeriSign iDefense Security Intelligence Services reports that approximately 6,000 of the phishing emails have been sent, leading to about 600 infections. To avoid infection, SecureWorks suggests that users update their antivirus engines, as well as use a browser with anti-phishing protection to find suspect sites. The phishing attack depends on Internet Explorer functionality, meaning that using another browser will avoid infection. If you are using an IE browser, SecureWorks says you should not allow installation of certificates from websites, even if you think the certificate authority is trustworthy.

And just to be clear, neither the IRS nor the courts send official notices via email.  Hackers recently exploited last month's Chinese earthquake disaster to write and distribute Trojan-infected email, following separate phishing attacks that also exploited the disaster.