[unisog] very specific IT-department phish

Paul FM paulfm at me.umn.edu
Wed Jun 11 16:39:41 GMT 2008 

It probably is a legit Active X control, but on with a serious security hole 
that can be exploited.  Active X is very dangerous as any Active X control 
can be used by any web page.

Michael Holstein wrote:
> FYI:
> 
> Overnight we got a very specific phishing attempt directed at IT staff 
> (mostly the higher-level tech folks) .. it was properly worded English 
> (unlike the usual 'send this file to have your advice..') and addressed 
> each party by first and last name.
> 
> It refers the user to a URL whereby an ActiveX control (which appears to 
> be signed) asks to be installed. The links are unique to each email, and 
> bring up a copy of the purported "IRS letter", again referencing the 
> individual by name. Since you get the ActiveX regardless of what you put 
> as the arguments to the php script, I didn't include that part.
> 
> This link (broken on purpose) : 
> hxxp://www.revenue-system.com/ViewCase.php .. has a javascript function 
> to determine browser, and if IE will provide the ActiveX control. You 
> might want to check your logs for that URL (which, at the moment, has a 
> SOA pointing at ns5.idc2.net.cn with a fairly short TTL).
> 
> Messages came from here (last hop before us) :
> 
> 206.46.173.1
> 206.46.173.5
> 206.46.252.42
> 206.46.252.44
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> 
> --snip--
> 
> <redacted headers .. first header is entry point>
> 
> Received: from localhost.localdomain ([66.84.15.19 
> <http://66.84.15.19>]) by vms173005.mailsrvcs.net 
> <http://vms173005.mailsrvcs.net>
> (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
> 
> with ESMTPA id <0K2A00AR6QRW60B3 at vms173005.mailsrvcs.net 
> <mailto:0K2A00AR6QRW60B3 at vms173005.mailsrvcs.net>> for
> <redacted>@csuohio.edu <mailto:j.walsh at csuohio.edu>; Wed, 11 Jun 2008 
> 06:33:33 -0500 (CDT)
> 
> Date: Wed, 11 Jun 2008 06:33:33 -0500 (CDT)
> Date-warning: Date header was inserted by vms173005.mailsrvcs.net 
> <http://vms173005.mailsrvcs.net>
> From: Internal Revenue Service<notice at irs.org <mailto:notice at irs.org>>
> 
> Subject: Notice of Deficiency #<redacted>
> To: <<redacted>@csuohio.edu <mailto:j.walsh at csuohio.edu>>
> Message-id: <0K2A00AR7QRW60B3 at vms173005.mailsrvcs.net 
> <mailto:0K2A00AR7QRW60B3 at vms173005.mailsrvcs.net>>
> 
> 
> <html>
> <head><title>NOTICE OF DEFICIENCY</title></head>
> <body bgcolor=3D"#EEEEEE">
> <pre>
> 
> Department of the Treasury                  Date of this Notice: May 23 
> 2008
> Internal Revenue Service                    Letter Number 531(DO)
> District Director                           Form: 1040
> 
> 
> 
>                                -NOTICE OF DEFICIENCY-
> 
> Dear <redacted>,
> 
>      We have determined that you owe additional tax and other amounts, 
> or both,
> for the tax year(s) identified above.  This letter is your NOTICE OF 
> DEFICIENCY,
> as required by law.  The enclosed statement shows how we figured the 
> deficiency.
> 
>      If you want to contest this determination in court before making 
> any payment,
> you have 90 days from the date of this letter (150 days if addressed 
> outside the
> United States) to file a petition with the United States Tax Court for a
> redetermination of the deficiency.
> 
> <a href=3D"hxxp://www.revenue-system.com/ViewCase.php?nr=<redacted>
> Please click here to download a Copy of the Order, Letter, Notice and =
> Other Document Being Appealed</a></span></i></b></p>
> 
>      If you decide not to sign and return the waiver, and you do not 
> file a petition
> with the Tax Court within the time limit, the law requires us to assess 
> and bill you
> for the deficiency after 90 days from the date of this letter (150 days 
> if this letter
> is addressed to you outside the United States).
> 
> 
>     Thank you for your cooperation.
> 
>                            Sincerely yours,
>                            Charles O. Rossotti
> 
>                            Commissioner by
>                            Roger K. Burgess  CR
> 
>                            District Director
> 
>                                                               Letter 
> 531(DO)(Rev.9-96)
> 
> </pre>
> </body>
> </html>
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------

More information about the unisog mailing list