Massive Attack Targets Businesses Using EFTPS.Gov Tax Services Web Site
“The volume of the campaign, the scope of attack vectors, and the speed of the botnets’ backend adaptation truly make this one of the most formidable attacks that we have seen.” – Joe Levy, CTO Solera Networks
A recent and growing attack has been targeting the business world, sending warning messages to recipients and notifying them of problems with their tax payments through the government’s EFTPS.gov Web site. As we write this the attack appears to be in full swing, with data showing a massive spike in the volume of malicious emails coming from this attack being sent today.
“The attacks started trickling in on Tuesday, October 12, peaking at around 5% of global spam volumes,” said Henry Stern, Senior Security Research at Cisco. “There was a much larger attack that started on October 15 at 14:30 UTC and lasted just over an hour. This attack accounted for over 25% of all spam email during that period,” Stern added. The subject lines of the messages say things like “Last Notice: Your Federal Tax Payment Has Been Rejected” or “Your EFTPS.Gov Payment Has Been Rejected.”
While phishing attacks and scams targeting taxpayers are nothing new, this appears to have a new twist. Researchers at Solera Networks discovered that this latest attack goes beyond simply phishing for personal data via standard Web forms. The network forensics company has evidence that behind the scenes, the campaign is actually infecting machines, using a very recent (recently zero-day) exploit, to join a pre-existing ZeuS botnet.
Similar to other attacks, if a user clicks on the malicious (masked) link in the email, they can be infected with a variant of the Zeus Malware via a “drive-by download” – something that requires little or no user interaction to infect a system. This is a clear attack targeted at businesses attempting to make online payments or utilize other functions of the legit EFTPS.gov service and is designed to capture recipients’ confidential information, including employer identification number (EIN), social security numbers, bank account and routing numbers, etc. Once infected, the system will continue to capture such data in future sessions as well.
While Zeus itself is not new, this appears to be the first time a variant of it has specifically targeted online taxpayers using government Web sites. Zeus, also commonly known as Zbot, is the most prevalent malware platform for online fraud, and has been licensed by numerous criminal organizations. Zeus infects PCs, usually without users knowing or causing any other “noticeable” harm. The program then waits for the user to log onto a list of targeted banks and financial institutions, and then steals login credentials and other data, which are immediately sent to a remote server hosted by cybercriminals.
“The volume of the campaign, the scope of attack vectors, and the speed of the botnets’ backend adaptation truly make this one of the most formidable attacks that we have seen,” said Solera Networks CTO Joe Levy. From the evidence and statistics so far, this botnet expansion is having success.
“This attack involved over 800 compromised web servers whose only purpose was to redirect the victim’s browser on to a web exploit toolkit. The criminals did this in an attempt to evade the URL reputation used by most anti-spam systems,” said Cisco’s Henry Stern.
It’s not by chance that this spike is occurring today – the 15th of the month – the day when many businesses must file online tax payments. In this latest attack, recipients are receiving fake messages, appearing to be from the EFTPS Service, notifying users that their tax payment has been rejected and encouraging them to click on a link to check for more information.
As of early this afternoon, security vendors and the cybercriminals behind the attack are in the midst of a firefight. As some hosts are taken down, the malware host servers appear to be moving around using a technique called “Fast Flux DNS” – a common method that botnets use to hide their phishing and malware distribution sites. With fast flux DNS, the malicious sites hide behind many different hosts serving as proxies, utilizing numerous IP addresses associated with a domain name by rapidly changing the IP addresses as a result of frequently modifying DNS records.
Cisco Security Intelligence was able to provide some very recent statistics on the volume of messages being sent as part of the attack.
In other Zeus related news, Charles Schwab customers have been the target of yet another Zeus attack.