'Whaling' Scam Targets Execs Via Tax Court Ruse
- By William Jackson
- June 03, 2008
A new whaling scam -- that's a phishing scam that targets big game -- using
a supposed U.S. Tax Court notification as bait has reeled in about 600 victims
so far, according to Internet security firm SecureWorks.
The phishing e-mails appear to come from a Chinese hacker also believed to
be responsible for a number of attacks earlier this year targeting C-level executives.
The previous attacks have purported to be notifications
of legal action from a federal court or the Internal
Revenue Service and included a link in the body of the e-mail to download
The current attack supposedly is from the U.S. Tax Court, and downloading the
phony document actually installs spyware masquerading as an Adobe Acrobat ActiveX
Installation of the spyware is facilitated by downloading a root
certificate from a phony certificate authority using the VeriSign
Trust Network name.
"If the certificate authority is successfully loaded onto the victim's
computer, the hacker can more easily re-infect the computer because it will
automatically trust the hacker's code," SecureWorks said.
The spyware, which seeks out client certificates for accessing financial accounts,
passwords and account information, is known and can be identified by many anti-virus
engines. Installing the phony certificate also can generate a series of warnings
in the browser, requiring the user to authorize installation.
But the e-mail uses a number of social-engineering techniques to gain the victim's
trust. It is addressed to a specific individual, and the message contains information
apparently harvested from private databases that might not be readily available
to the public, such as direct telephone number and title.
There are clues to the nature of the e-mail, however. It appears to come from
the "United State Tax Court," with an "s" missing at the
end of "State." The URL in the link to download the supposed document
is for "ustax-courts.com" rather than .gov, which also should be a
dead giveaway. Don Jackson, director of threat intelligence for SecureWorks,
speculated that the .com domain was used to avoid replies going back to genuine
Tax Court servers and quickly alerting them to the scam.
The URL hosting the malware resolves to an address hosted on a
server administered by China Network Communication Group in
Beijing. The type of Chinese characters used to sign the executable
code indicates the compiler probably is from Taiwan or Hong Kong
rather than the mainland, Jackson said. He said the author of the
attacks apparently has enough experience with the U.S. court system
to generate official-looking and -sounding documents, although
there are typos.
According to the VeriSign iDefense Security Intelligence
Services, about 6,000 of the phishing e-mails have gone out,
resulting in about 600 infections. About 120 of those were still
transmitting data to the attacker as of Monday.
Keeping anti-virus engines updated can help avoid infection, as can using a
browser with anti-phishing protection to identify suspect sites. The scam relies
on Internet Explorer functionality, so using another browser will prevent infection.
If using the IE browser, do not allow installation of certificates from Web
sites, even if the certificate authority appears to be trustworthy. And, for
the record, neither the IRS nor the courts send official notices by e-mail.
William Jackson is the senior writer for Government Computer News (GCN.com).