Zero-day Java flaw exploited in targeted tax email malware attack

Zero day Java flaw exploited in targeted tax email malware attack

VAT at 20%. Image from ShutterstockExperts at SophosLabs have discovered that cybercriminals have taken advantage of the critical zero-day flaw vulnerability in Java, sending out malicious emails which pretend to come from an accountancy firm announcing a rise in the tax rate.

Unsuspecting internet users who click on links contained inside the email – perhaps concerned that there has been a rise in the VAT rate – risk instantly infecting their computers.

SophosLabs discovered the email in one of its global network of spamtraps. The email purported to be from the Dutch branch of the accountancy firm BDO Stoy Hayward:

Malicious email. Click for fuller version

From: BDO Accountants & Adviseurs <>

Of course, the email doesn’t really come from the accountancy firm. A closer look discovers that it has been sent from a hosting provider in the Netherlands:

Received: from tandarts by with local (Exim 4.77)
(envelope-from <>)

The subject line (which is in Dutch) reads as follows:

Subject: Let op! BTW tariefverhoging per 1 oktober 2012

Google translates the subject as:

Attention! VAT rate increase per 1 October 2012

The email’s message body can be translated as follows:

Dear Sir or Madam,

As you may have already understood, the high rate of turnover tax by October 1, 2012 increased from 19% to 21%.

The moment of conduct performance (either date of sale / supply of goods or services) determines the amount of the VAT rate.
The invoice date on the sales receipt is not (!) Important for the handle VAT rate (or for the period of turnover tax).

Look what the VAT increase for you can mean. You will also find useful tips to correct the increased VAT to implement in your organization.

For entrepreneurs, the VAT increase sales or no additional cost. For individuals, prices will rise.
Keep an eye on the changes, an error using the correct VAT rate may result in additional tax.

For further details and answers to other questions, please visit the dedicated webpage, prepared by the Ministry of Finance.

Normally, we would expect the link to go straight to a phishing site but here under the folder ‘tariff’ (in Dutch it’s ‘tarieven’) is an obfuscated script that attempts to load an applet detected by Sophos products as Exp/20124681-A – malicious code which exploits the current Java zero-day vulnerability.

Although this particular attack uses Dutch language to try to trick users into following the link there is, of course, no reason why cybercriminals wouldn’t also try similar tactics in other more commonly-used languages too. So, no-one should be complacent about the threat posed by this Java vulnerability.

We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications.

Chet Wisniewski’s recent article about the Java zero day vulnerability gives details about how to disable Java:

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Exp/20124681-A: the malicious Java code exploiting CVE 2012-4681.

Rise in VAT roadsign image from Shutterstock.