Web Attack Ahead of Tax Season

At 3 AM, on February 6, 2012, Symantec Security Response observed spam carrying malicious links which target the upcoming tax season. The spam volume spiked between 6 AM and 1 PM, identifying over 200 unique URLs which lead to a Blackhole toolkit.

A Blackhole toolkit compromises the machine by targeting various vulnerabilities on the victim's machine. Symantec protects our customers with multiple-layer protection of antispam, antivirus, and IPS signatures. The payload downloaded from the malicious website is detected as Trojan.Zbot, for instance, and IPS detects this web attack as “Web Attack: Blackhole Toolkit Website 14” and “Web Attack: Blackhole Exploit Kit Website 11”.

The spam asks the user to click on a link to verify their account information. Below is an example of one such spam:

Examples of links found in messages:

These links point to a page containing more links to certain javascript files (as shown below). All of these links point to a singular “js.js” file.

The domains used in the spam email include recently registered domains and hijacked domains which employed weak security. Symantec advises our readers to be cautious ahead of tax season and follow general security guidelines to protect against malicious attacks.

Security tips:

  • Avoid clicking on suspicious links in email by manually typing Web addresses directly into your browser.
  • Do not open email attachments from unknown sources.
  • Protect your computer with a comprehensive security suite. For details on Symantec’s offerings, visit http://www.symantec.com.