News

'Whaling' Scam Targets Execs Via Tax Court Ruse

A new whaling scam -- that's a phishing scam that targets big game -- using a supposed U.S. Tax Court notification as bait has reeled in about 600 victims so far, according to Internet security firm SecureWorks.

The phishing e-mails appear to come from a Chinese hacker also believed to be responsible for a number of attacks earlier this year targeting C-level executives. The previous attacks have purported to be notifications of legal action from a federal court or the Internal Revenue Service and included a link in the body of the e-mail to download documents.

The current attack supposedly is from the U.S. Tax Court, and downloading the phony document actually installs spyware masquerading as an Adobe Acrobat ActiveX control.

Installation of the spyware is facilitated by downloading a root certificate from a phony certificate authority using the VeriSign Trust Network name.

"If the certificate authority is successfully loaded onto the victim's computer, the hacker can more easily re-infect the computer because it will automatically trust the hacker's code," SecureWorks said.

The spyware, which seeks out client certificates for accessing financial accounts, passwords and account information, is known and can be identified by many anti-virus engines. Installing the phony certificate also can generate a series of warnings in the browser, requiring the user to authorize installation.

But the e-mail uses a number of social-engineering techniques to gain the victim's trust. It is addressed to a specific individual, and the message contains information apparently harvested from private databases that might not be readily available to the public, such as direct telephone number and title.

There are clues to the nature of the e-mail, however. It appears to come from the "United State Tax Court," with an "s" missing at the end of "State." The URL in the link to download the supposed document is for "ustax-courts.com" rather than .gov, which also should be a dead giveaway. Don Jackson, director of threat intelligence for SecureWorks, speculated that the .com domain was used to avoid replies going back to genuine Tax Court servers and quickly alerting them to the scam.

The URL hosting the malware resolves to an address hosted on a server administered by China Network Communication Group in Beijing. The type of Chinese characters used to sign the executable code indicates the compiler probably is from Taiwan or Hong Kong rather than the mainland, Jackson said. He said the author of the attacks apparently has enough experience with the U.S. court system to generate official-looking and -sounding documents, although there are typos.

According to the VeriSign iDefense Security Intelligence Services, about 6,000 of the phishing e-mails have gone out, resulting in about 600 infections. About 120 of those were still transmitting data to the attacker as of Monday.

Keeping anti-virus engines updated can help avoid infection, as can using a browser with anti-phishing protection to identify suspect sites. The scam relies on Internet Explorer functionality, so using another browser will prevent infection. If using the IE browser, do not allow installation of certificates from Web sites, even if the certificate authority appears to be trustworthy. And, for the record, neither the IRS nor the courts send official notices by e-mail.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.