In January, we examined some tax-themed phishing lures that showed attackers were filing their “returns” early, hoping to take advantage of recipients’ fear or curiosity in order to trick them into clicking on a link or malicious attachment. Interestingly, one of these even demonstrated a combination of phishing email, malicious link, and telephone-based social engineering that have been spotted in a recent, sophisticated Dyre campaign.
As the April 15 filing deadline draws near – and with the public already worried about bogus tax return filings – Proofpoint researchers have seen attackers shift their lures from IRS-themed communications to tax-filing tool lures with a fraud-prevention theme. For example, we recently detected emails claiming to be password reset reminders from popular tax-filing software, and which lead instead to the Angler exploit kit. The campaign was relatively targeted, with a volume of messages well below the hundreds of thousands we normally observe for unsolicited email campaigns.
The lures for are well-written and convincing, and designed to play on heightened concerns about bogus tax filings.
Clicking on the link redirects to an Angler exploit kit (EK) server, and the URLs observed in this campaign all showed low rates of detection, due in large measure to the fact that the link in every message led to a unique hostname. Regular rotation of URLs with domains consisting of seemingly random alphanumeric strings facilitate AV evasion, including one case where only one out 62 antivirus solutions recognized it as malicious.
If the EK is able to successfully execute an exploit, it installs the Bedep Trojan, which is known mainly to function as a downloader, data stealer and ad fraud tool.
As certain as death and taxes are cybercriminals who adapt and target email campaigns to focus on topical subjects and exploit public curiosity and fear in order to spread malware and steal funds and data. In this case, heightened awareness of one kind of fraud became a lure for another, demonstrating yet again that phishing campaigners are continually adapting to user education and automated defenses, combining proven techniques – such as highly individualized URLs – with new lures and messages that ensure there will always be some users who click.
IOCs:
Observed domains for randomized hostnames:
a1c5[.]tk
a3b8[.]tk
b2f8[.]tk
c3a1[.]tk
c3a5[.]tk
d3b6[.]tk
d8f1[.]tk
e6b2[.]tk
e8b1[.]tk
f4b7[.]tk
Subscribe to the Proofpoint Blog