News

'Whaling' Scam Targets Execs Via Tax Court Ruse

• By William Jackson
• June 03, 2008

The phishing e-mails appear to come from a Chinese hacker also believed to be responsible for a number of attacks earlier this year targeting C-level executives. The previous attacks have purported to be notifications of legal action from a federal court or the Internal Revenue Service and included a link in the body of the e-mail to download documents.

The current attack supposedly is from the U.S. Tax Court, and downloading the phony document actually installs spyware masquerading as an Adobe Acrobat ActiveX control.

Installation of the spyware is facilitated by downloading a root certificate from a phony certificate authority using the VeriSign Trust Network name.

"If the certificate authority is successfully loaded onto the victim's computer, the hacker can more easily re-infect the computer because it will automatically trust the hacker's code," SecureWorks said.

The spyware, which seeks out client certificates for accessing financial accounts, passwords and account information, is known and can be identified by many anti-virus engines. Installing the phony certificate also can generate a series of warnings in the browser, requiring the user to authorize installation.

But the e-mail uses a number of social-engineering techniques to gain the victim's trust. It is addressed to a specific individual, and the message contains information apparently harvested from private databases that might not be readily available to the public, such as direct telephone number and title.

There are clues to the nature of the e-mail, however. It appears to come from the "United State Tax Court," with an "s" missing at the end of "State." The URL in the link to download the supposed document is for "ustax-courts.com" rather than .gov, which also should be a dead giveaway. Don Jackson, director of threat intelligence for SecureWorks, speculated that the .com domain was used to avoid replies going back to genuine Tax Court servers and quickly alerting them to the scam.

The URL hosting the malware resolves to an address hosted on a server administered by China Network Communication Group in Beijing. The type of Chinese characters used to sign the executable code indicates the compiler probably is from Taiwan or Hong Kong rather than the mainland, Jackson said. He said the author of the attacks apparently has enough experience with the U.S. court system to generate official-looking and -sounding documents, although there are typos.

According to the VeriSign iDefense Security Intelligence Services, about 6,000 of the phishing e-mails have gone out, resulting in about 600 infections. About 120 of those were still transmitting data to the attacker as of Monday.

Keeping anti-virus engines updated can help avoid infection, as can using a browser with anti-phishing protection to identify suspect sites. The scam relies on Internet Explorer functionality, so using another browser will prevent infection. If using the IE browser, do not allow installation of certificates from Web sites, even if the certificate authority appears to be trustworthy. And, for the record, neither the IRS nor the courts send official notices by e-mail.