Soon to come: IRS Spam
Our friends at iDefense/Verisign shared a template with us for a new IRS phishing e-mail which they expect to be mail out soon (today). The template looks like it will be sent as a multipart mime encoded email with plain text and html part.
The '%' keywords in the template will be replaced with customized content. Expect URL like this to be used:
http://ads.tvfly.com/banner/.error_log/b.php
note that the directory starts with a '.' in order to hide it on compromised unix systems. Another common directory name is '.bbb'. file names to expect are b.php, kit.zip, update.exe
Here is the top part of the template:
From=IRS e-file <efilesubmission@irsefile.gov>
Reply-To=IRS e-file <efilesubmission@irsefile.gov>
Subject=Known e-file Issues and Solutions (2007 tax year), for %comp%!
%TEXT_TEMPLATE_DELIMITER%
Binary Attachments
___________________
It has come to the attention of the IRS Modernized e-File office that
some transmitters/software developers/return originators are creating
binary files incorrectly. In some instances, the IRS was unable to
display the PDF document because of improper formatting.
Effective immediately, please ensure that binary attachments are created
according to the PDF standards in this correspondence.
The internal identifier (first five bytes of the file) must be the
standard PDF identifier, "%PDF-".
Please download the correct PDF form for your business needs here:%link%
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments