Fake IRS notification e-mails have been in circulation on the Internet over the past few weeks. We’ve monitored the situation closely and have observed 30 active domain names currently spreading the Zeus trojan affiliated with the spam campaign, as well as 300 links used in the attack over the past month. The e-mail arrives as a notice of unreported income and directs the victim to click on a link (E.g. www.irs.gov.malwaredomain.com). When clicked, the victim arrives at website designed to look like an official IRS page.
The website attempts to legitimize itself by referencing the receivers name in the Taxpayer ID field and in the download link. Once the malware is accessed, the zeus trojan is silently installed on the victim’s computer and begins to intercept communication with banking sites in order to facilitate financial fraud.