FYI...

US Tax Court spear-phishing attack
- http://www.us-cert.gov/current/#us_tax_court_spear_phishing
May 15, 2008 - "US-CERT is aware of public reports of a spear-phishing attack circulating via email messages that claim to be petitions from the US Tax Court. These messages appear to be legitimate because they may contain very specific information about the message recipient. The message requests that the user follow a link to download additional information about the petition, but if a user clicks on this link, malicious code may be installed on the system..."

- http://www.ustaxcourt.gov/
"NOTICE: The United States Tax Court has received many telephone calls regarding an email which purports to originate from the Court being sent by and a member of the Tax Court's practitioner bar. This message is an example of "Spear Phishing", which is an email spoofing attempt that targets a specific organization. The Tax Court is -not- disseminating any email notice to anyone who currently has a case before this Court. If you receive an email with a subject line that includes the text, "US Tax Petition", along with a malformed docket number following the format #000-000, and a sender address of noreply @ustaxcourt.org, please ignore/delete the email and do -not- click any link within the email message."

FYI...

- http://blog.trendmicro.com/then-subpoenas-now-tax-petitions/
May 23, 2008 - "...New spear phishing incident that’s reminiscent of the whale phishing incident documented last April, wherein bogus subpoenas were sent to CEOs. The new spam run involves email messages sent to specific organizations as notices of deficiency or tax petitions supposedly coming from the United States Tax Court... Once members of a targeted organization click on the link in the message body, they are directed to the site www .ustax-courts .com - the purported US Tax Court site—and asked to download a higher version of Internet Explorer (IE) onto their system to further view court details... By string manipulation (in this case, adding a dash to the actual domain name of the actual site), unknowing users are easily made to believe that the bogus site is legitimate, making them most likely to click on the link. The legitimate US Tax Court site is http://www.ustaxcourt.gov/ ... As we have advised before, consult with lawyers in case important-looking emails may be valid. But in this case, the concerned Court has declared that it does not send email notices to those with cases before it..."

(Screenshots available at the URL above.)

FYI...

- http://www.us-cert.gov/current/#us_tax_court_spear_phishing
updated June 4, 2008 - "US-CERT is aware of public reports of a phishing attack circulating via email messages that claim to be petitions from the US Tax Court. These messages appear to be legitimate because they may contain very specific information about the message recipient. The message requests that the user follow a link to download additional information or documents. If a user clicks on this link, the website attempts to use JavaScript to install a bogus root certificate that is supposedly issued by "VeriSign Trust Network." The user will normally receive several warnings when the JavaScript code attempts to install the certificate.
If the certificate installs successfully, the browser is redirected to another page that attempts to install an ActiveX control. The user may be prompted to allow the installation, and because the control is signed, it will appear to be legitimate. However, it is signed by a fake certificate for "Adobe Systems Incorporated," which is trusted by the bogus root certificate previously installed. The ActiveX control is a Browser Helper Object (BHO) that functions as an information stealer. Upon execution, it will attempt to download an update to itself and will then begin reading client certificates, stored passwords, cookies, browsing history, posted form data, and other information.
Public reports indicate that the attack messages have the following attributes:
* Messages appear to come from the "United State Tax Court." (Note the missing "s" on "State.")
* The URL within the message appears to link to the "ustax-courts.com" domain....
US-CERT encourages users to do the following to help mitigate the risk:
* Review the alert posted by the United States Tax Court regarding this issue..."
> http://www.ustaxcourt.gov/
"...ignore/delete the e-mail and do -not- click any link within the e-mail message..."

All times are GMT