News

'Whaling' Scam Targets Execs Via Tax Court Ruse

A new whaling scam -- that's a phishing scam that targets big game -- using a supposed U.S. Tax Court notification as bait has reeled in about 600 victims so far, according to Internet security firm SecureWorks.

The phishing e-mails appear to come from a Chinese hacker also believed to be responsible for a number of attacks earlier this year targeting C-level executives. The previous attacks have purported to be notifications of legal action from a federal court or the Internal Revenue Service and included a link in the body of the e-mail to download documents.

The current attack supposedly is from the U.S. Tax Court, and downloading the phony document actually installs spyware masquerading as an Adobe Acrobat ActiveX control.

Installation of the spyware is facilitated by downloading a root certificate from a phony certificate authority using the VeriSign Trust Network name.

"If the certificate authority is successfully loaded onto the victim's computer, the hacker can more easily re-infect the computer because it will automatically trust the hacker's code," SecureWorks said.

The spyware, which seeks out client certificates for accessing financial accounts, passwords and account information, is known and can be identified by many anti-virus engines. Installing the phony certificate also can generate a series of warnings in the browser, requiring the user to authorize installation.

But the e-mail uses a number of social-engineering techniques to gain the victim's trust. It is addressed to a specific individual, and the message contains information apparently harvested from private databases that might not be readily available to the public, such as direct telephone number and title.

There are clues to the nature of the e-mail, however. It appears to come from the "United State Tax Court," with an "s" missing at the end of "State." The URL in the link to download the supposed document is for "ustax-courts.com" rather than .gov, which also should be a dead giveaway. Don Jackson, director of threat intelligence for SecureWorks, speculated that the .com domain was used to avoid replies going back to genuine Tax Court servers and quickly alerting them to the scam.

The URL hosting the malware resolves to an address hosted on a server administered by China Network Communication Group in Beijing. The type of Chinese characters used to sign the executable code indicates the compiler probably is from Taiwan or Hong Kong rather than the mainland, Jackson said. He said the author of the attacks apparently has enough experience with the U.S. court system to generate official-looking and -sounding documents, although there are typos.

According to the VeriSign iDefense Security Intelligence Services, about 6,000 of the phishing e-mails have gone out, resulting in about 600 infections. About 120 of those were still transmitting data to the attacker as of Monday.

Keeping anti-virus engines updated can help avoid infection, as can using a browser with anti-phishing protection to identify suspect sites. The scam relies on Internet Explorer functionality, so using another browser will prevent infection. If using the IE browser, do not allow installation of certificates from Web sites, even if the certificate authority appears to be trustworthy. And, for the record, neither the IRS nor the courts send official notices by e-mail.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.