Zeus Botnet Powers Tax Notice Phishing Scam

A new wave of spam attacks have emerged impersonating a tax payment alert that experts say is sourced to the Zeus botnet.

Security experts say that at first the spam attack, which is powered by a Zeus variant, appears to be a run-of-the-mill phishing e-mail, luring users with variations on the subject line "Your Federal Tax Payment ID has been rejected."

Other variations of the message appear to warn users that the government may monitor their e-mail, and tells them they are now subjected to penalties under computer fraud legislation.

However, Pete Schlampp, vice president of marketing and product management for Solera Networks, said that "behind the scenes, what's going on is more intricate and more insidious."

Sponsored post

The message then instructs the user to get details about the alleged tax rejection by clicking an embedded link, which appears to direct users to the Electronic Federal Tax Payment System (EFTPS) Web site. Before that, however, the link redirects users several times to hundreds of compromised Websites that unleash malicious payloads sourced to the Zeus botnet.

Next: Zeus Phishing Attack Exploits Tax Deadline

Like many phishing schemes, the attack leverages a widespread event -- this time taking advantage of U.S. users looking to make payments by the quarterly Oct. 15 tax deadline.

But what security experts say differentiates this attack is that it eventually takes already infected users back to the actual EFTPS Website. Businesses or individuals who fall for the scam subsequently will be compelled to enter bank account information, Social Security numbers and tax payer IDs, which will then be captured by the botnet's keyloggers that record the keystrokes and send them Zeus' command and control servers.

Security experts say that they have seen sharp spikes in registration activity around this particular Zeus attack since the end of September, with the most recent waves of registration occurring Oct. 11. The infection rates have exponentially increased in recent weeks, currently comprising about 30 percent of all spam on the Internet, experts said.

The attack has gained traction through a critical Java vulnerability. During the complex redirect process, the downloaded malware scans the user's operating system environment to determine whether or not they have a vulnerable version of Java, before exploiting the flaw.

Meanwhile, Oracle issued a massive critical patch update earlier this week, repairing a total of 29 vulnerabilities in Java -- 15 of which were given the highest severity rating of 10 -- indicating that the security holes could be exploited remotely with malicious code.

Next: Experts Tell Users To Apply Oracle Patch

Experts say that it's imperative for users to apply the Java patch, particularly fix 22, in order to reduce the risk of infection.

"It's very important that people grab that update. This attack will attempt to take advantage of that vulnerable Java," said Joe Levy, Solera Networks chief technology officer.

If no vulnerable Java application can be found, the malware will then create a malicious PDF after exploiting vulnerabilities in Adobe Acrobat.

"We can just say this is one of the most creative and widespread campaigns in recent memory, " Schlampp said. "The likelihood that one of the attack vectors will be vulnerable is very, very high. We're seeing more and more compound attacks. That of course increases the chances of success."