Phishing emails disguised as U.S. Department of Treasury complaints

Share this article:

A new round of targeted phishing is underway with attackers again trying to trick recipients into opening malware-laden attachments falsely claiming to originate from the federal government, researchers warned today.

This time, U.S. Department of Treasury is said to be behind the attack and – like similar attacks over the past several months – claim to contain a complaint against the recipient and his or her company, Dan Hubbard, vice president of security research at Websense, told today.

The campaign is similar to a number of recent spear phishing runs that targeted employees, particularly executives, he said. Those attacks used the Better Business Bureau,IRS and federal Department of Justice as lures.

The latest phishing emails arrive with .pif files attached that claim to contain a complaint against the recipient, whose name and employer are listed in the email to add legitimacy, Hubbard said. However, the executable attachment actually contains a downloader that, if clicked on, connects to a malicious website, where the user's machine is hit with an information-stealing backdoor trojan.

The messages use powerful social engineering tactics to attract victims, he said.

"It's the personalization," Hubbard said. "It's attaching a large government agency to something that makes you think, ‘Oh, maybe I'm in trouble here.' It's something that grabs you pretty quick."

The same tactics were used to compromise the Oak Ridge National Laboratory, a Knoxville, Tenn.-based center that conducts research for the Department of Energy. The lab's director admitted last week in a memo to staff that 11 employees fell victim to phishing emails, among them a message claiming to be a complaint on behalf of the Federal Trade Commission.

Hubbard said spear phishing assaults are becoming more common.

"The potential for more sensitive pieces of information is there," he said.

The attack reported today does not require vulnerability exploits and there were no signatures that defended against the trojan variant, Hubbard said.

But that does not mean its success rate was perfect. Many organizations block executables at the gateway, and if the messages do get through, machines must be running at administrative level.

For employees who do fall for the trick, administrators should be sure to retrain them on security awareness, Hubbard said.

A spokesperson from the Department of Treasury did not respond to a request for comment.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.