Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


March 9th, 2012

This time, the bad guys want your tax accountant

While taxpayers are the regular target of springtime malware schemes, this year the bad guys are aiming for the accountants.

A series of imposter emails are threatening recipients with the removal of their professional accreditation if they fail to respond promptly. The tax-phish appear to be from organizations such as the American Institute of Certified Public Accountants(AICPA), Better Business Bureau(BBB), and Intuit tax services.

After clicking on the email, users are redirected through a hacked legitimate site to the final malware distribution center where their computer can download fake antivirus or another malware package selected by the bad guys.

This spam campaign started in the last week of February. A tax-themed attack is a traditional feature of March and April as Americans prepare their income tax returns.

The tax-time malware is the latest example of the BlackHole Exploits Kit at work – and shows that the bad guys’ graphic and language skills are improving.

The BlackHole Exploits Kit is a set of code available to bad guys on the black market. The Kit primarily focuses on JavaScript vulnerabilities. The Kit is used to spread malware such as Zeus botnets, rootkits, or fake antivirus packages. BlackHole has been continually improved since the first version surfaced in August 2010. Not only does BlackHole remove competing malware, it also comes with an option for the bad guys to test its efficiency against the major antivirus suppliers. That is real criminal quality assurance.

From the graphic perspective, the email is visually attractive, even including a fake sending address and is in reasonably good English. And, they even used the correct top level domains for the AICPA and BBB addresses.

The payload of this is most likely a fake antivirus. However, one of the technical attractions of BlackHole is that it is quite easy for the bad guys to change the payload and the redirector sites. So, it could really be anything.

So, watch where you click.

 

Comments are closed.