Spam and phishing mail

Here Come the Tax Spammers!

It’s that time of year again, time to fill out your taxes and pay your part. We’ve seen more than a few examples of Tax and IRS related spam.
Yesterday I received mail with an interesting approach:

Well, I thought, that’s strange because I don’t own a business, and I haven’t filed my taxes yet. It is somewhat notable how well the email is written. Proper grammar and spelling is attempted, but to a native English speaker it’s not quite right.
When checking out the link, I was first brought to an intermediate page here:

After which nothing happened. The reason that nothing happened is that the javascript that is running in the background is trying to load a web page known for hosting the BlackHole exploit kit. However the page is now down, so the exploit didn’t work. Even if it had successfully reached the page, Kaspersky detected this URL and blocked access:

Please be extra cautious of clicking any links in your email this tax season. If you’re not sure whether an email is legitimate, go directly to the IRS website and start there. Make sure you’re using a quality internet security suite, and make sure to keep it updated. And pay your taxes!

Here Come the Tax Spammers!

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox