Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

IRS, NACHA, Etc. Mal-spam

June 29, 2011 - 2 min read

ImageI posted a few of these mal-spam incidents on our Scrapbook blog ... this sort of mal-spam has been on-going, but there has been a recent uptick since early June. The NACHA, Federal Reserve, and now IRS mal-spam sites have all favored the MelbourneIT/Yahoo netblocks/domain services.

This is one of those cases of using Uncle-Sam, which relates to any US citizen, for social engineering spam recipients into falling victim to an attack.
Recently the straight up spam-to-malicious URL exe scenario changed to a more complex multi-stage, multi-pronged attack scenario: spam to URL shortener which redirects to another URL shortener and/or site containing an exploit kit (Blackhole) and drop or social network to malicious Zeus-ish malicious executable to sites like:
hxxp:// irs-report.com/TAX6538001.pdf.exe
Fortunately, the IRS and security researchers alike were all over this to have these sites removed as quickly as possible. Regardless the spam was widespread through the Cutwail/Pushdo botnet and impacted a lot of Internet users. Here are a few of the details (posted with permission from co-handler of this incident)...
Here is an example of one of the shorteners:
Here is an example of one of the second-stage shorteners:
All-in-all a handful of shortener services were abused for this campaign to the tune of thousands of shortened URLs (perhaps a different shortened URL per spam message to avoid detection from groups like SURBL). Some of the services abused include: 3cm.kz, bizz.cc, linkzip.net, omf.gd, ptiturl.com, tiny.tw, 0845.com as well as the previously mentioned shortn.me and ur.ly services.
From my example, the second-stage shortener linked to content that was pretty well obfuscated ... it "abused" JavaScript (such that my command-line interpreter, CLI, couldn't render) and it also did the standard leveraging of HTML DOM objects: specifically through, getElementsByTagName, innerHTML, as well as some creative uses of document creation with createTextNode, appendChild, and related. Because of these, it made the second-stage redirect a bit challenging to deobfuscate ... in the end, it helped to modify the script to suite what my CLI JS could understand. All of the obfuscated content was numbers within HTML div tags that was looped through with this (modified) JS:

Deobfuscating the content, returns the exploit scripts as well as redirects to the previously mentioned irs-report site.

Example drop:

MD5 : 8a5bf0dd71a1b8ea8155963b252e2105
V/T report: 13/42 now (seen <6 detects in some cases)
Remember the IRS does not contact the taxpayer through email! (reference)
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.