Security researchers and the U.S. government Friday warned of on-going targeted phishing attacks posing as overdue tax notices from federal courts.
The attacks take aim at top-level executives, including at one who works for security vendor McAfee Inc.
"The e-mails are designed to look like a petition from the Tax Court and are fairly believable," said McAfee researcher Kevin McGhee in a notice posted to the company's Web site. "There's also a legitimate telephone number for the organization [and] the executive's name is listed as the respondent in a case versus the Commissioner of Internal Revenue."
McGhee included a screenshot of the e-mail received by a McAfee executive; the image showed the "From:" address as "ustaxcourt.org."
The legitimate U.S. Tax Court site -- "ustaxcourt.gov" -- also warned of the scam on its home page.
"The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court's practitioner bar," the warning said. This message is an example of 'Spear Phishing,' which is an e-mail spoofing attempt that targets a specific organization.
"The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court. If you receive an e-mail with a subject line that includes the text, 'Notice of Deficiency #' or 'US Tax Petition,' ignore/delete the e-mail and do not click any link within the e-mail message," the agency said.
Targeted identity theft attacks, which have been dubbed "spear phishing" by some, "whale phishing" by others, are not new; nor are attacks that pose as legal messages from courts or the Internal Revenue Service . But such attacks have picked up as of late. Last month, for example, several waves of messages masquerading as notices of federal lawsuits reached recipients.
When users click on the link embedded in the phishing message, they're directed to a fake Tax Court Web site, said another security researcher, where they're asked to upgrade their copy of Microsoft Corp.'s Internet Explorer browser. "By string manipulation, in this case, adding a dash to the actual domain name of the actual site, unknowing users are easily made to believe that the bogus site is legitimate, making them most likely to click on the link," said Jovi Umawing, a researcher with Trend Micro Inc. in a separate warning posted on Friday.
McGhee noted that clicking on the purported IE update link actually downloads and installs malware, including a behind-the-scenes keylogger that records usernames and passwords typed on the PC's keyboard, then transmits that information to the identity thief.