The notorious information-stealing Zeus trojan is currently spreading via drive-by download, said security researchers at IT management software and solutions vendor CA.
Those behind Zeus, or Zbot, recently began circulating spam claiming to come from the Internal Revenue Service (IRS), requesting users submit a “tax refund request form” by clicking on a link that is provided.
Clicking takes victims to a website that attempts to perform a drive-by download, meaning users do not need to take any further action to be infected, Don Debolt, director of threat research at CA, told SCMagazineUS.com on Monday.
If clicked, the link loads a browser window that looks blank but, in the background, is attempting to download malicious code and install a variant of Zeus, Mary Grace Gabriel, research engineer at CA's Internet Security Business Unit wrote in a recent blog post.
Previous spam campaigns used to spread Zeus have asked users to manually download and execute various reports, tools or statements seemingly coming from MySpace, Facebook, the IRS, Microsoft, the U.S. Social Security Administration and Verizon Wireless. This is the first IRS-themed drive-by campaign but it is not the first time Zeus authors have used the drive-by download technique, Debolt said.
“The people behind this threat are constantly refreshing their tactics,” he said.
The spam messages used in this latest campaign use subject lines related to IRS refunds. The body of the email reads: “After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 760.22$ tax refund under section 501© (18) of the Internal Revenue Code.”
“The IRS does not send unsolicited e-mails to taxpayers about their tax accounts,” the agency said. “Anyone who receives an unsolicited e-mail claiming to come from the IRS should avoid opening any attachments or clicking on any links.”