IRS Phishing Emails Link to Malicious Websites, Spread Cridex Worm

IRS logoAny type of correspondence from the IRS tends to grab our attention. You know it, I know it, and judging by spam recently intercepted by researchers, cybercriminals know it too.

In their latest attempt to spread malware, spammers have started firing out bogus IRS notification emails stating that a recent tax payment was rejected, but the reason why won’t be revealed unless you click the link to view a Microsoft Word Document.

Here’s the email:

From: Internal Revenue Service (alerts[at]
Subject: Rejected Federal Tax transfer

Internal Revenue Service
United States Department of the Treasury

Your Tax payment (ID: [RANDOM NUMBER]), recently from your bank account was returned by the The Electronic Federal Tax Payment System.

Rejected Tax transaction

Tax Transaction ID: [RANDOM NUMBER]
Reason of rejection: See details in the report below
Federal Tax Transaction Report tax_report_[RANDOM NUMBER].doc (Microsoft Word Document)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

Spoiler: there’s no Word document.

In fact, when you click the link, you will be taken to a malicious site housing the Black Hole exploit kit, which will attempt to exploit vulnerabilities in Adobe Reader/Acrobat and Microsoft Windows Help and Support Center to drop malware identified by Microsoft as Worm:Win32/Cridex.E on the victim’s machine.

The attack is carried out silently in the background as the user is presented with a plain looking ‘Page Loading…’ page. Here’s to hoping that users who click the link have antivirus capable of detecting the threat installed on their PC.

What to Do with IRS Spam

If you happen to receive the email above or another IRS phishing email:

  • Do NOT click on any embedded links or download any files attached to the email.
  • Do NOT respond to the email or provide any confidential information.
  • Report the email to the IRS by forwarding it to
  • Delete the email immediately.

[via Webroot][via Dynamoo]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

This entry was posted in Computer Security, internet scam, malware, phishing, social engineering, spam and tagged , , , , , , .
Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5