Zbot using IRS scam

Yesterday, there was significant media interest in the sharp growth (55%) in online banking fraud that had been reported in a press release published by Financial Fraud Action UK.

One of the contributing factors to this growth has been the rise in phishing attacks that masquerade as messages from HM Revenue and Customs (HMRC). SophosLabs have blogged about such attacks, and you can listen to a recent BBC radio report here.

Of course, it is not just HMRC. The Internal Revenue Service (IRS) within the United States Department of the Treasury is an equally attractive ‘lure’ to trick new victims. For example, just recently SophosLabs have been seeing an email scam trying to trick users into infecting themselves with banking malware. Emails purporting to be from the IRS are being sent to users.

Users falling for the scam and clicking on the link get taken to a rogue web site masquerading as the IRS site:

This is not a classic phish – the user is not prompted for any credentials. Instead, the page instructs them to click on a link and download and run their tax statement. In actual fact, the link is to malware, detected by Sophos as W32/Zbot-IP. When run, it installs itself on the victim’s machine such that it can monitor future browsing sessions in order to target online banking transactions. Zbot (also known as Zeus) is a large and somewhat infamous family of banking malware, which has attracted much discussion recently.

The above is a simple example of an email driven scam. But it demonstrates an interesting blend of phishing and malware in order to hit victims. The blurring of boundaries between malware and phishing was always inevitable, and we see it many of the attacks we see each day.

User education remains to be an important part of how we protect ourselves against attacks. Reports of a 55% increase in online banking fraud is clearly going to raise concern amongst the public. Perhaps it is indicative of a lack of sufficient education?

We can hope that the publicity around yesterday’s press release will generate discussion and appropriate training within organizations and schools. (For those interested, a good starting point for advice can be found on the BankSafeOnline site.) One thing is for sure – the problem is not going away anytime soon, and the fraudsters will continue to adapt, modify and blend their techniques in order to trick users, even those who consider themselves security-savvy.