After clicking on the email, users are redirected through a hacked legitimate site to the final malware distribution center where their computer can download fake antivirus or another malware package selected by the bad guys.
This spam campaign started in the last week of February. A tax-themed attack is a traditional feature of March and April as Americans prepare their income tax returns.
The tax-time malware is the latest example of the BlackHole Exploits Kit at work – and shows that the bad guys’ graphic and language skills are improving.
From the graphic perspective, the email is visually attractive, even including a fake sending address and is in reasonably good English. And, they even used the correct top level domains for the AICPA and BBB addresses.
The payload of this is most likely a fake antivirus. However, one of the technical attractions of BlackHole is that it is quite easy for the bad guys to change the payload and the redirector sites. So, it could really be anything.