We read about it all the time: Malware that spreads by email through malicious attachments. It was one of the first ways malicious programs spread on the internet and new malware continues to use this method to spread for one simple reason – It works.
As someone who has been around and taught others how to avoid these kinds of scams for years, I like to think I’m pretty much immune to this kind of trickery. But an email we received today made me reconsider. I fell for an IRS scam email. Well, almost.
The incident started when a member of our support team asked me for help handling a serious looking email: “Hey, I’ve got a ticket that needs your or Carl’s attention. Probably Carl’s. It’s regarding taxes, and it’s actually from IRS.GOV”
That sounds serious. I should probably see what’s going on. “Send it over to me.”
He was right, the email did claim to be from the IRS. Hmm.
Subject: Remember to Renew Your PTIN – Act Now
Subject: Your FED TAX payment ( ID : 79YIRS062755509 ) was Rejected
Gee, that looks important. An email from an irs.gov address about a tax payment being rejected. I should probably pay attention to what it says.
The body of the email gave some more important sounding information:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 79YIRS062755509), recently sent from your checking account was returned by the your financial institution.For more information, please download notification, using your security PIN 55178. Transaction Number: 79YIRS062755509Payment Amount: $ 5410.00
Transaction status: RejectedACH Trace Number: 730273539869094
Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.
Uh oh. This seems serious. Looks like an automated message about a tax payment gone wrong. And the IRS doesn’t play around. Well, shoot, what do I do now?
Wait a minute. This email has an attachment too. That’s strange… Generally automated emails don’t come with ZIP files attached, especially about tax information.
OK, this is starting to make sense now. But normally these scam emails look a little less professional. This one is kind of clever. OK, shields up!
Let’s see what’s in this ZIP file. (Kids, don’t try this at home.) I opened the file up in a virtual machine with no internet access. This allows me to handle dangerous files without much risk of infecting the rest of my computer or network.
Inside the ZIP file is what appears to be a PDF file. That makes sense, I guess. You’d expect your tax information to come in a PDF file right. Wait. That icon looks a little off. I wonder what happens if you view the Properties of this file…
It’s a trap! As I’d suspected, there is more to this file than meets the eye. It’s not really a PDF file. It’s a program disguised as a PDF file. As soon as someone tries to open this file the program infects the computer, probably with some kind malware designed to steal bank account credentials and add any infected computers to a botnet.
There are a few things that can be learned from this situation:
1. Scammers can fake the sending address of their emails
The email I received said it was sent by someone at IRS.gov. In reality, someone just faked the identifying information on the email to make it look like it came from the IRS.
2. Don’t trust unexpected attachments
Unless you’re expecting an email with an attachment from someone, don’t open email attachments if you can possibly avoid it. Malware authors have gotten very good at hiding malicious code.
3. Keep your antivirus and antispyware software up to date, but don’t assume it’s invincible!
After doing a little more research, it looks like we’re not the only ones who received this email. It just started spreading today, and at the time I started writing this only 3 or 4 anti-virus programs detected this file as dangerous. I’m sure that number has grown dramatically by the time you’re reading this. But if I’d actually opened that attachment and run the program, my antivirus program wouldn’t have caught it. This malware was so new that antivirus companies hadn’t had a chance to update their programs to detect it yet! Keep yourself and your computer safe, don’t open attachments!