Warning from IRS

We’re going to file the following example under “even spammers make mistakes”.

The above spam message spoofing communications from the IRS was received yesterday on 2012-02-23. It was sent from a bot with the IP 62.129.255.5.

The otherwise well crafted spam had one crucial mistake. It contained a link to hxxp://dll-aghazeh[.]com/YzrYt31J/index.html. Unfortunately for the bad guys this page returned a ‘404 Page Not Found’ error instead of the expected malicious javascript.

While its unclear why this page did not contain any malicious code, we can safely assume that it was supposed to contain javascript redirectors that would have pointed victims to a Blackhole Exploit kit. That Exploit kit would have almost certainly dropped a Pony downloader on its victims.

How can we make this assumption? Well, its simple. Note the structure of the above malicious link – hxxp://dll-aghazeh[.]com/YzrYt31J/index.html. Notice the random 8 random digit character folder name in the URL path? Weve seen that pattern before. A quick review of the previous posts Better Business Bureau complaint and Notification of securities investigation against your company reveal that this 8 random digit pattern was used in previous spam campaigns that also dropped a Pony downloader variant. So, this random file name pattern appears to be an indicator for malicious behavior.

As you’re trolling through your inbox and you see suspicious looking emails with text goading you to click on a link, place your mouse over this link and study the destination url without clicking on the link. If you see this 8 random digit pattern its a good idea to delete the email and carry on your day.

Advertisements

One Comment

  1. DayStar
    Posted April 1, 2012 at 9:19 pm | Permalink | Reply

    Also, in the top left there is a grammar problem. (conta ct IRS).

    Wow, what an OCD kid I am.

    (Keep up the good work :D)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: