IRS Scam Campaign on proposal by Zeus

20 February 2010 | No Comments » | Jorge Mieres

In the last hours has launched a new campaign as an excuse ZeuS a scam using the IRS (Internal Revenue Service) by which propagates its trojan.

ZeuS trojan variant in this case has the MD5 14FBCE4A3F67E46B18308AC6824B2A00 under the name tax-statement.exe, whose detection rate is high.

In addition, the person entering this page, in a transparent manner will be routed through an iframe tag injected into the HTML source code, to an attack type Drive-by-Infection from hxxp://109.95.114.251/usa50/in.php.

The domains involved in this new campaign are:

http://www.irs.gov.desa.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.desa.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.desa.kr/fraud.applications/application/statement.php
http://www.irs.gov.desa.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.desz.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.desz.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.desz.kr/fraud.applications/application/statement.php
http://www.irs.gov.desz.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.desv.kr/fraud.applications/application/statement.php
http://www.irs.gov.deso.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.deso.kr/fraud.applications/application/statement.php
http://www.irs.gov.desb.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.desb.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.desb.kr/fraud.applications/application/statement.php
http://www.irs.gov.desb.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.edase.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasa.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasa.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasa.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.edase.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasq.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasq.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasq.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersm.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasn.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersa.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersm.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasq.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersq.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.edase.co.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasn.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersq.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasa.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersm.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.edase.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersm.kr/fraud.applications/application/statement.php
http://www.irs.gov.edasn.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersw.kr/fraud.applications/application/statement.php
http://www.irs.gov.erst.ne.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersw.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.erst.kr/fraud.applications/application/statement.php
http://www.irs.gov.erst.or.kr/fraud.applications/application/statement.php
http://www.irs.gov.ersq.or.kr/fraud.applications/application/statement.php

Jorge Mieres

Source: Malware Intelligence

=====================
Jorge Mieres
Malware Intelligence