IRS Spoof Latest Cutwail Spam Scam

A new Cutwail botnet spam campaign discovered Wednesday by McAfee’s MX Logic security software group is relying on the three most dreaded letters in the alphabet to prey on naïve e-mail recipients: IRS.

Wednesday morning the MX Logic threat operations center, which is constantly monitoring the Internet and corporate e-mail accounts for new malware, noticed a new spam campaign originating from the Cutwail botnet that is sending out more than 90,000 messages per hour by pretending to be an urgent missive from the IRS.

The spoof e-mail that users are receiving appears to come from an e-mail account called “no-reply@irs.gov,” and tries to trick people into believing that IRS is claiming they have misreported data on their income tax returns. It further advises that responding to the e-mail will give them a chance to correct their returns.

The unsolicited e-mail provides a link that purportedly will allow them to view their most recent tax information online. The link itself doesn’t directly infect the user’s machine, but it does direct them to another Web site from which the malicious code is being delivered.

For those users who still haven’t figured out the scam, the Web site provides an application called “tax_statement.exe.” Download it, and your machine becomes infected and added to the thousands of other machines that the botnet software then uses to send out spam to other e-mail accounts.

“Our advice is, obviously, the IRS doesn’t communicate directly with taxpayers via e-mail, so just delete it,” said Sam Masiello, MX Logic’s director of threat management. “For this campaign, the spammers are trying to incite users to react quickly because of the fear of going to jail for tax fraud rather than take a minute and really think about what they’re doing.”

Masiello said McAfee, which acquired MX Logic in July for $140
million, and other vendors are hustling to update their antivirus software so users can simply run their antivirus scanners the next time they log onto the network to snuff out this latest piece of malware before it infects more PCs.

“It’s a Trojan,” he said. “It’s not going to spread through an enterprise network like the Conficker worm. It’s just an attempt to gain control of as many machines as possible to use at a later date to send out spam for things like Viagra or purported health-related products” such as penile enhancement pitches, which he says account for 70 percent to 75 percent of all spam messages.

According to a June report by McAfee’s top competitor, Symantec, botnets now account for 83.2 percent all spam delivered to e-mail accounts.

“It’s a cat and mouse game,” Masiello said. “They’re trying to infect as many machines as fast as they can and we’re updating our AV software to keep up.”