length 00:15:26

Tax time SPAM campaign

IRS fake trojan site apparently works because every year it happens again and again just like clockworks

Social engineering using malicious PDF or Active-x.

The URLs are actually previously know malicious websites, mostly are Trojan with botnet capability.

It’s web-based bot , not using IRG

These malwares leverage the “smart thing”, by now most companies block IRC port, but web-based command/control bot can still work nowadays.

To make things even more complicated with DNS poisoning <- even knowing the URL will not provide 100% protection

Several dozes fake IRS website actually are associated to the same IP address.

And this same IP address will be used for other false website, such fake mother’s say website.

If there is any doubt, pick up the phone and call

10-20% google result on IRS are malicious website.