I posted a few of these mal-spam incidents on our Scrapbook blog ... this sort of mal-spam has been on-going, but there has been a recent uptick since early June. The NACHA, Federal Reserve, and now IRS mal-spam sites have all favored the MelbourneIT/Yahoo netblocks/domain services.
This is one of those cases of using Uncle-Sam, which relates to any US citizen, for social engineering spam recipients into falling victim to an attack.
Recently the straight up spam-to-malicious URL exe scenario changed to a more complex multi-stage, multi-pronged attack scenario: spam to URL shortener which redirects to another URL shortener and/or site containing an exploit kit (Blackhole) and drop or social network to malicious Zeus-ish malicious executable to sites like:
Fortunately, the IRS and security researchers alike were all over this to have these sites removed as quickly as possible. Regardless the spam was widespread through the Cutwail/Pushdo
botnet and impacted a lot of Internet users. Here are a few of the details (posted with permission from co-handler of this incident)...
Here is an example of one of the shorteners:
Here is an example of one of the second-stage shorteners:
All-in-all a handful of shortener services were abused for this campaign to the tune of thousands of shortened URLs (perhaps a different shortened URL per spam message to avoid detection from groups like SURBL
). Some of the services abused include: 3cm.kz, bizz.cc, linkzip.net, omf.gd, ptiturl.com, tiny.tw, 0845.com as well as the previously mentioned shortn.me and ur.ly services.
Deobfuscating the content, returns the exploit scripts as well as redirects to the previously mentioned irs-report site.
MD5 : 8a5bf0dd71a1b8ea8155963b252e2105
: 13/42 now (seen <6 detects in some cases)
Remember the IRS does not contact the taxpayer through email! (reference