In what could presage a rash of tax-time spam purportedly from government agencies, security researchers at MX Logic have uncovered an influx of keylogger-laden emails spoofing the U.S. Department of Justice (DoJ).
The latest round of spam is similar in nature to last summer’s highly successfully spoofs on a variety of government agencies, including the IRS and the FBI, Sam Masiello, director of threat management at Englewood, Colo.-based MX Logic, told SCMagazineUS.com on Friday. Although those messages were targeted primarily to C-level executives, the small number of emails in the latest batch — a couple of hundred an hour — makes it difficult to pinpoint who the intended victims are as yet, Masiello said.
Both rounds of spoofing emails have used the social engineering tactic of including in their message the name of the person and company, he said, adding that this round of messages contains many of the same spelling and grammatical errors as last summer’s campaign.
That spammers would revisit this type of approach is not surprising, Gartner analyst Avivah Litan said. “This has been a very successful ploy — one that has yielded the crooks hundreds of thousands of dollars per attack,” she told SCMagazineUS.com on Friday.
The latest batch contains an image from the DoJ website, which contributes to its apparent legitimacy, Masiello said. The spoofed emails also contain a keylogger that once downloaded onto a recipient’s computer, collects personal information, such as the user’s bank account numbers and passwords.
Similar-style attacks should continue as tax rebate checks begin arriving, Masiello said. “As the tax rebates begin arriving in the May/June timeframe, we’ll likely see additional spoofs apparently from the government.”
Litan said consumers have “wised up” to traditional phishing attacks, such as those from a bank indicating that consumers’ accounts will be suspended unless they click on a link and enter personal information.
“Now the fraudsters have moved on to much more clever social engineering techniques and have discovered newfound financial success,” she said.
Instead, they are sending emails purporting to be from a government agency, such as the DoJ or FBI, warning that the recipient and their company must respond to a complaint.
“Worried consumers are quick to click on those links, only to have their PCs infected with malware that successfully steals their account credentials and eventually their money,” she said.
Masiello added that it is difficult to determine whether the group responsible for last summer’s round is behind this wave of spoofed emails.
“We don’t have enough information to definitely say it was the same group of people, but it would not be a stretch if it was,” he said.
From the random nature of the spoofed emails’ IP addresses, however, it is clear that the emails originated from a botnet, he said.
“Who controls that botnet is still unclear,” Masiello said. “That’s the difficult part, and why these botnets are so difficult to detect.”
“[The spammers] keep themselves hidden because of the layers between them and the actual malware,” he said, adding that a lot of times they’re coming from countries that make it difficult for the U.S. to prosecute.