Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 14 October 2009

IRS Zeus via Geocities

Posted on 13:41 by Unknown
After a couple days with no "IRS Zeus" spam, the flow of spam messages has restarted. The new spam messages are exactly like the ones we've been seeing since September 9th, with one very significant difference:


Subject: Notice of Underreported Income


Taxpayer ID: e0cdd8db-00000684284766US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: e0cdd8db-00000684284766US

Internal Revenue Service


Two changes are that my email address is no longer part of the "taxpayer id", nor is it part of the URL to which the spam directs me.

When I followed the link in the most recent spam message, I "eventually" end up on the website:

http://www.irs.gov.nerrasssb.co.uk/fraud_application/directory/statement.php?tid=target-00000169290787US

however, that URL is *NOT* what is present in the email message!

http://geocities.com/AnnabelleRichardson78/yredaxubu.htm
http://geocities.com/AshleyWyatt42/ohulociqam.htm
http://geocities.com/AustinHobbs20/nulaxubumul.htm
http://geocities.com/AveryGoodwin43/ihociqamy.htm
http://geocities.com/bcwowpuyne/yredaxubu.htm
http://geocities.com/BillSantos33/nulaxubumu.htm
http://geocities.com/BriannaHensley06/yredax.htm
http://geocities.com/DamienMorris57/apegapyzap.htm
http://geocities.com/ddfsteyxbext/alynahej.htm
http://geocities.com/DevinSnyder65/ikahejov.htm
http://geocities.com/EdwinRandall53/nulaxubumul.htm
http://geocities.com/EltonLawson02/uwalajahe.htm
http://geocities.com/foayoqetpxe/nulaxu.htm
http://geocities.com/FreddyCampbell36/ohuloc.htm
http://geocities.com/hshybmbcg/alynah.htm
http://geocities.com/KirbyRaymond27/ociqam.htm
http://geocities.com/kktpxdqnhb/ulociqamy.htm
http://geocities.com/kmbxpkrkpe/byhegap.htm
http://geocities.com/ktywgegrcudf/byhegapy.htm
http://geocities.com/LiliaMathews67/yredaxubu.htm
http://geocities.com/MarionHudson45/nulaxu.htm
http://geocities.com/MasonSalinas48/rociqamynah.htm
http://geocities.com/MiguelPatterson69/ohuloci.htm
http://geocities.com/MilesFlowers05/alynah.htm
http://geocities.com/msxpytqms/apegapyz.htm
http://geocities.com/MurrayWaters50/byhegapy.htm
http://geocities.com/nmxtumdrfrff/alynah.htm
http://geocities.com/npxqrwxww/apegapyz.htm
http://geocities.com/ocaxbasohmgo36/hiqamyna.htm
http://geocities.com/rhauwqyee/nulaxubumul.htm
http://geocities.com/RobinWhitley59/byhegapy.htm
http://geocities.com/RussChandler61/yredax.htm
http://geocities.com/sfgesqfhrtrx/yredaxubu.htm
http://geocities.com/ShirleyTrevino49/bumulociqa.htm
http://geocities.com/TanyaWeber50/nulaxubumu.htm
http://geocities.com/TiffanyKirby11/yredaxubumu.htm
http://geocities.com/TyreeOsborne93/byhegapyz.htm
http://geocities.com/ufxesabsq/apegap.htm
http://geocities.com/WadeJoyce45/mulociqam.htm
http://geocities.com/yoqrawycf/yredaxubumu.htm
http://geocities.com/zgdgesbnw/ynahejoveke.htm
http://geocities.comgeoffreyPowell47/yredaxubum.htm

Of course none of these URLs actually is the final destination.

The current malware is

File size: 89600 bytes
MD5...: d62e9d994d587e94e04ad3f75ff14f69

you can see a VirusTotal report which shows a 6 of 41 detection rate. Only six anti-virus products out of 41 currently know that this is malware.
Email ThisBlogThis!Share to XShare to Facebook
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ▼  October (16)
      • Facebook Safety & Million Member Facebook Groups
      • FACEBOOK PHISH! Users Beware!
      • Fake FDIC spam campaign spreads Zeus malware
      • FBI and SOCA make a media splash at RSA Europe
      • Phishing For Love: Banking Insiders
      • TowerNet CapitalOne: Avalanche returns after 15 mo...
      • Zipped Malware Attachments in Spam: Here comes Con...
      • Hacked Newspaper loads Google News with malware sites
      • Targeted URLs in spam . . .OWA Settings update
      • IRS Zeus via Geocities
      • A weekend of Old News
      • The FBI's Biggest Domestic Phishing Bust Ever
      • Microsoft "Your e-mail will be blocked" phish
      • A Day in the Life of Spam
      • Cyber Security Awareness Month: Day Two
      • Cyber Security Awareness Month: Day One
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile