Network News

X My Profile
View More Activity

New IRS Scam E-mail Could Be Costly

The Department of Homeland Security's Computer Emergency Readiness Team is warning Internet users to be on guard against a convincing e-mail virus scam disguised as a message from auditors at the Internal Revenue Service. According to one victim interviewed by Security Fix, falling for the ruse could cost you or your employer tens of thousand of dollars.


An alert issued Monday by the U.S.-CERT states: "The attacks arrive via an unsolicited email message and may contain a subject line of 'Notice of Underreported Income.' These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan."

The Zeus Trojan is exceptionally good at stealing sensitive data, and it is especially interested in online banking credentials. This fake IRS/Zeus campaign has been ongoing for several weeks now, according to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham. Still, it's nice to see a high-profile government agency issuing an alert about this threat, as it appears to be hitting quite a large number of businesses (the virus portion of my Postini inbox has been filled with little else these past few days -- click the screen shot below to see what I mean).


A recent victim of the scam is Landfill Service Corp., a solid waste company based in Apalachin, NY. Last week, the firm discovered that thieves had used Zeus to steal the company's Internet banking credentials, after the attackers transferred $150,000 from its online bank account in a series of sub-$10,000 payments to 20 so-called money mules, co-conspirators around the country hired in job scams.

Landfill's President, Joel Lanz, said the company has recovered some of the funds, though he said it appears the firm may end up losing at least $92,000 from the incident.

Later, Lanz said, the firm's technology manager found the culprit: a file called "sdra64.exe," -- the engine behind the Zeus keystroke logging Trojan - on the PC of an employee with access to Landfill's online bank accounts.

Lanz said he recalls receiving the bogus IRS e-mail last week, and then forwarding it on to another employee, who evidently opened the attached file. Still, Landfill may have gotten off easy: Attackers using a custom form of Zeus known as JabberZeus used it to steal the online banking credentials -- and some $415,000 -- from Bullitt County, Ky. earlier this summer.

A word to the wise: Do not click on attachments included in unsolicited e-mails, especially those that encourage you to act quickly or else suffer some scary fate: These are almost universally scams or attempts to plant malicious software on your computer. Also, note that the IRS has stated emphatically that it does not communicate with citizens via e-mail.

By Brian Krebs  |  September 28, 2009; 5:10 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Small Business Victims , U.S. Government  | Tags: dhs, irs, money mules, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Cyber Gangs Hit Healthcare Providers
Next: Microsoft's Free Anti-virus Tool Now Available


The word I'm getting from my peers is that this scam could be related to terrorism. We might be unwittingly financing various anti american groups. I would not be surprised.

Posted by: jdalexander | September 28, 2009 6:29 PM | Report abuse

Thanks for naming the .EXE file. I've removed sdra64.exe dozens of times for my PC repair clients, but I never knew what it did.

Posted by: williehorton | September 28, 2009 8:55 PM | Report abuse

Thanks for keeping us in the loop, Brian. Really, it seems like the past 2-3 months have been full of these types of scams: stealing online banking credentials and using money mules to wire the money out of the country. When will the tipping point be reached? When will the banks adjust their systems to be able to monitor/stop this crime?

Posted by: wilson7 | September 29, 2009 10:18 AM | Report abuse


Thanks for keeping this top of mind in our public awareness. These are real life examples of just one of the three types of cyber criminals – 1.) hackers -– in it for the thrill or wanting to cause disruption for a personal agenda; 2.) organized crime -- in it for financial gain; and 3.) foreign adversaries -- in it for military purposes or to steal strategically valuable intellectual property.

There is no simple solution to this problem. I believe the first step, however, must be recognition of the scale and scope of the problem, and you are helping with this effort. There also needs to be consequences for nations that conduct these activities, or who fail to pursue and prosecute criminals operating within their borders. I also advocate a public-private industry collaboration as making the most sense. We need to develop a collective consciousness for coping with the growing menace of cyber attacks, particularly given the economic and safety issues triggered when valuable intellectual property is the target.

Thanks for your contributions to this resolve.

Dr. Stan Sloane
President and CEO
SRA International

Posted by: StantonSloane | September 29, 2009 12:31 PM | Report abuse

Is it just me, or does "Landfill Service Corp., a solid waste company based in Apalachin, NY. " sound like Tony Soprano's outfit?

I wonder if any of these scammers have accidentally hit a mob guy and, if so, what happened?

Posted by: wiredog | September 29, 2009 3:00 PM | Report abuse

Interestingly, we wouldn't even have noticed the latest IRS scam without the media coverage. Our antispam heuristics identified the messages as frauds and so it was all dealt with in the background without analysts' intervention.

That said, with the current economy, it is not surprising to see more tax-related phishes. Last month we saw some targeting UK residents:

A bit of common sense would go a long way avoiding these frauds/malware. The IRS certainly would have difficulty sending an email to an unreported address especially when many email addresses names has no relation to the owner (something like comes to mind.)

In all though, I think the general public have to realize (and be reminded) that the IRS does not send them unsolicited emails to individuals as highlighted in their press release previously (,,id=178061,00.html ):
"The IRS does not send unsolicited e-mail about tax account matters to individual, business, tax-exempt or other taxpayers." Once they do, they'll just ignore these emails instead of replying or clicking on the links.

Savio Lau, SophosLabs

Posted by: saviolau | September 29, 2009 8:25 PM | Report abuse

Wiredog, my thoughts also!

In spite of all the warnings and advice, care taken and protection used, all it takes is some hapless soul clicking where they shouldn't. Like Barnum said, there's one born every minute.

Posted by: jimbo1949 | September 29, 2009 11:38 PM | Report abuse

A person has to have a serious methane bubble in his/her cranium to provide personal information requested by an unsolicited email from ANYone. I have a couple of less-computer saavy friends who bite at ANYTHING (one saying, well, no, I don't have an account at B of A, but I thought maybe someone had stolen my identity so I responded.) Huh? Your identity was just fine until you provided the bogus site with your personal data. The Rule of thumb is NEVER EVER provide any information to anyone unless you have accessed the company yourself by typing the website into the browser. Delete or report as spam any email you receive that requests any personal data.

Posted by: canyon2912 | October 1, 2009 1:43 PM | Report abuse

Has anyone gone after the squatters to yet?

Posted by: croton | October 3, 2009 7:27 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company