[unisog] very specific IT-department phish
Michael Holstein
michael.holstein at csuohio.edu
Wed Jun 11 16:02:50 GMT 2008
FYI:
Overnight we got a very specific phishing attempt directed at IT staff
(mostly the higher-level tech folks) .. it was properly worded English
(unlike the usual 'send this file to have your advice..') and addressed
each party by first and last name.
It refers the user to a URL whereby an ActiveX control (which appears to
be signed) asks to be installed. The links are unique to each email, and
bring up a copy of the purported "IRS letter", again referencing the
individual by name. Since you get the ActiveX regardless of what you put
as the arguments to the php script, I didn't include that part.
This link (broken on purpose) :
hxxp://www.revenue-system.com/ViewCase.php .. has a javascript function
to determine browser, and if IE will provide the ActiveX control. You
might want to check your logs for that URL (which, at the moment, has a
SOA pointing at ns5.idc2.net.cn with a fairly short TTL).
Messages came from here (last hop before us) :
206.46.173.1
206.46.173.5
206.46.252.42
206.46.252.44
Cheers,
Michael Holstein CISSP GCIA
Cleveland State University
--snip--
<redacted headers .. first header is entry point>
Received: from localhost.localdomain ([66.84.15.19
<http://66.84.15.19>]) by vms173005.mailsrvcs.net
<http://vms173005.mailsrvcs.net>
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTPA id <0K2A00AR6QRW60B3 at vms173005.mailsrvcs.net
<mailto:0K2A00AR6QRW60B3 at vms173005.mailsrvcs.net>> for
<redacted>@csuohio.edu <mailto:j.walsh at csuohio.edu>; Wed, 11 Jun 2008
06:33:33 -0500 (CDT)
Date: Wed, 11 Jun 2008 06:33:33 -0500 (CDT)
Date-warning: Date header was inserted by vms173005.mailsrvcs.net
<http://vms173005.mailsrvcs.net>
From: Internal Revenue Service<notice at irs.org <mailto:notice at irs.org>>
Subject: Notice of Deficiency #<redacted>
To: <<redacted>@csuohio.edu <mailto:j.walsh at csuohio.edu>>
Message-id: <0K2A00AR7QRW60B3 at vms173005.mailsrvcs.net
<mailto:0K2A00AR7QRW60B3 at vms173005.mailsrvcs.net>>
<html>
<head><title>NOTICE OF DEFICIENCY</title></head>
<body bgcolor=3D"#EEEEEE">
<pre>
Department of the Treasury Date of this Notice: May 23
2008
Internal Revenue Service Letter Number 531(DO)
District Director Form: 1040
-NOTICE OF DEFICIENCY-
Dear <redacted>,
We have determined that you owe additional tax and other amounts,
or both,
for the tax year(s) identified above. This letter is your NOTICE OF
DEFICIENCY,
as required by law. The enclosed statement shows how we figured the
deficiency.
If you want to contest this determination in court before making
any payment,
you have 90 days from the date of this letter (150 days if addressed
outside the
United States) to file a petition with the United States Tax Court for a
redetermination of the deficiency.
<a href=3D"hxxp://www.revenue-system.com/ViewCase.php?nr=<redacted>
Please click here to download a Copy of the Order, Letter, Notice and =
Other Document Being Appealed</a></span></i></b></p>
If you decide not to sign and return the waiver, and you do not
file a petition
with the Tax Court within the time limit, the law requires us to assess
and bill you
for the deficiency after 90 days from the date of this letter (150 days
if this letter
is addressed to you outside the United States).
Thank you for your cooperation.
Sincerely yours,
Charles O. Rossotti
Commissioner by
Roger K. Burgess CR
District Director
Letter
531(DO)(Rev.9-96)
</pre>
</body>
</html>
More information about the unisog
mailing list