IRS Tax “Warning” Fraud Crosses the Pond, Targets the UK

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091013_hmrc_phish_page_cropFor several months, we’ve been seeing spam and phishing Web sites which purport to be IRS notifications of delinquent non-payment of income taxes. Who can blame the fraudsters — almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue.

In the UK, the counterpart to the IRS is called Her Majesty’s Revenue & Customs (or HMRC), even though it is the British government, and not the Queen’s Coldstream Guards, who dutifully stick a fork in the populace to pay up. The income tax filing deadline in the UK (for people who file using paper returns), October 31, is fast approaching. And a stern warning from the Taxman is no laughing matter, no matter where you live. So it was inevitable that we’d see this successful phishing routine repeated elsewhere (and, probably, again as we get closer to the UK’s electronic tax filing deadline, at the end of January).

The phish attempt begins with an email message warning users that they are about to incur penalties for “Unreported/Underreported Income.” In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions. The email links to a formal-looking Web page, which contains the officious message “Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement.

Of course, the linked file isn’t a tax statement. It’s a malicious executable, just under 90KB in size, named tax-statement.exe. We classify the files as Trojan-Backdoor-Progdav (other vendors call this spy Zbot), a general-purpose smash-and-grab Trojan designed to give the malware’s distributor total control over the infected machine, mainly for the purpose of aiding identity theft.

The page where victims are sent, and where they download the Trojan “tax statement” installers, were well crafted duplicates that, to the untrained eye, look indistinguishable from the HMRC’s real Web site. For comparison, we’ve taken a screenshot of both sites, below. The crooks were clever enough to make sure that “” — the real domain used by HMRC — is included in the address they used.


As we’ve said before, not only is Progdav (Zbot) one of the most prolific Trojan backdoors in use today, but it’s also somewhat generic. That was in evidence when we looked at some of the strings in this particular Trojan sample, and found references to the Trojan’s ability to steal login secrets for Bank of America — a bank that doesn’t have a particularly large following (or customer base) in the UK.


Victims who fall for this trick should run a full scan of their hard drive, and change the passwords of any email service or Web site they’ve logged into since downloading and running the tax-statement.exe file.
wordpress blog stats

16 thoughts on “IRS Tax “Warning” Fraud Crosses the Pond, Targets the UK

  1. Pingback: Outlook “Patch” Spam Leads to Keyloggers « Webroot Threat Blog

  2. Pingback: Lazy Phishers Just Email the Phishing Web Page to You, Now « Webroot Threat Blog

  3. Pingback: Facebook Phishing Campaign Wants Your Passwords « Webroot Threat Blog

  4. Pingback: Latest online scam hits taxpayers « Start Up Donut blog

  5. Pingback: Fake Zbot Site Poses as H1N1 Flu Vaccine Info « Webroot Threat Blog

  6. Pingback: Fake Zbot Site Poses As CDC H1N1 Flu Vaccine Info | Business Computing World

  7. Pingback: Visa Targeted (Again) by Zbot Phishers « Webroot Threat Blog

  8. Pingback: Visa Targeted (Again) By Zbot Phishers | Business Computing World

  9. Pingback: A Look Back at the Worst Infections of 2009 « Webroot Threat Blog

  10. Pingback: A Look Back At The Worst Infections Of 2009 | Business Computing World

  11. Pingback: Zbot Desperately Seeking AIM Users « Webroot Threat Blog

  12. Pingback: Zbot Desperately Seeking AIM Users | Business Computing World

  13. Pingback: Zbot Fakes ABA Banking Site, Seeks a Stimulus Package « Webroot Threat Blog

  14. Pingback: Cover Your Assets on Data Privacy Day « Webroot Threat Blog

  15. Pingback: Keylogger Poses as Document from Spain’s Central Bank « Webroot Threat Blog

  16. Pingback: Tips to Avoid Tax Season Scams « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s