Connect with us

Hi, what are you looking for?



Cybercriminals Attack Users, Businesses Targeted in Another Massive ZeuS Attack

Massive Attack Targets Businesses Using EFTPS.Gov Tax Services Web Site

Massive Attack Targets Businesses Using EFTPS.Gov Tax Services Web Site

“The volume of the campaign, the scope of attack vectors, and the speed of the botnets’ backend adaptation truly make this one of the most formidable attacks that we have seen.” – Joe Levy, CTO Solera Networks

A recent and growing attack has been targeting the business world, sending warning messages to recipients and notifying them of problems with their tax payments through the government’s Web site. As we write this the attack appears to be in full swing, with data showing a massive spike in the volume of malicious emails coming from this attack being sent today.

“The attacks started trickling in on Tuesday, October 12, peaking at around 5% of global spam volumes,” said Henry Stern, Senior Security Research at Cisco. “There was a much larger attack that started on October 15 at 14:30 UTC and lasted just over an hour. This attack accounted for over 25% of all spam email during that period,” Stern added. The subject lines of the messages say things like “Last Notice: Your Federal Tax Payment Has Been Rejected” or “Your EFTPS.Gov Payment Has Been Rejected.”

While phishing attacks and scams targeting taxpayers are nothing new, this appears to have a new twist. Researchers at Solera Networks discovered that this latest attack goes beyond simply phishing for personal data via standard Web forms. The network forensics company has evidence that behind the scenes, the campaign is actually infecting machines, using a very recent (recently zero-day) exploit, to join a pre-existing ZeuS botnet.

Similar to other attacks, if a user clicks on the malicious (masked) link in the email, they can be infected with a variant of the Zeus Malware via a “drive-by download” – something that requires little or no user interaction to infect a system.  This is a clear attack targeted at businesses attempting to make online payments or utilize other functions of the legit service and is designed to capture recipients’ confidential information, including employer identification number (EIN), social security numbers, bank account and routing numbers, etc. Once infected, the system will continue to capture such data in future sessions as well.

EFTPS Malware

While Zeus itself is not new, this appears to be the first time a variant of it has specifically targeted online taxpayers using government Web sites. Zeus, also commonly known as Zbot, is the most prevalent malware platform for online fraud, and has been licensed by numerous criminal organizations. Zeus infects PCs, usually without users knowing or causing any other “noticeable” harm. The program then waits for the user to log onto a list of targeted banks and financial institutions, and then steals login credentials and other data, which are immediately sent to a remote server hosted by cybercriminals.

Advertisement. Scroll to continue reading.

“The volume of the campaign, the scope of attack vectors, and the speed of the botnets’ backend adaptation truly make this one of the most formidable attacks that we have seen,” said Solera Networks CTO Joe Levy. From the evidence and statistics so far, this botnet expansion is having success.

“This attack involved over 800 compromised web servers whose only purpose was to redirect the victim’s browser on to a web exploit toolkit. The criminals did this in an attempt to evade the URL reputation used by most anti-spam systems,” said Cisco’s Henry Stern.

It’s not by chance that this spike is occurring today – the 15th of the month – the day when many businesses must file online tax payments. In this latest attack, recipients are receiving fake messages, appearing to be from the EFTPS Service, notifying users that their tax payment has been rejected and encouraging them to click on a link to check for more information.

As of early this afternoon, security vendors and the cybercriminals behind the attack are in the midst of a firefight. As some hosts are taken down, the malware host servers appear to be moving around using a technique called “Fast Flux DNS” – a common method that botnets use to hide their phishing and malware distribution sites. With fast flux DNS, the malicious sites hide behind many different hosts serving as proxies, utilizing numerous IP addresses associated with a domain name by rapidly changing the IP addresses as a result of frequently modifying DNS records.

Cisco Security Intelligence was able to provide some very recent statistics on the volume of messages being sent as part of the attack.

Fake EFTPS Email Statistics


In other Zeus related news, Charles Schwab customers have been the target of yet another Zeus attack.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...