Monday, June 20, 2011

Federal Tax transfer reject phish

This one is a hoot. Email looks like the below (many blog posts look like this as well currently)



clicking the link will get you a redirect (co.cz...surprise surprise):

Connecting to irs-reports-web-1258store.info|64.202.189.170|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Date: Mon, 20 Jun 2011 14:47:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://uahdflkbhdanf.cz.cc/forum.php?tp=b30225f7d8a8e859
Cache-Control: private
Content-Length: 0
Location: http://uahdflkbhdanf.cz.cc/forum.php?tp=b30225f7d8a8e859 [following]
--2011-06-20 08:47:44-- http://uahdflkbhdanf.cz.cc/forum.php?tp=b30225f7d8a8e859
Resolving uahdflkbhdanf.cz.cc... 89.208.149.215
Connecting to uahdflkbhdanf.cz.cc|89.208.149.215|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 20 Jun 2011 18:46:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.5
Length: unspecified [text/html]
Saving to: `index.html'

Once that's done you'll get a nice taste of FAKEAV...headers:

GET /TAX25379001.pdf.exe HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: irs-web-report.info


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2011 15:29:32 GMT
Set-Cookie: BX=64qgorh6vupqs&b=3&s=0f; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.irs-web-report.info
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 20 Jun 2011 11:45:11 GMT
Accept-Ranges: bytes
Content-Length: 228864
Content-Type: application/octet-stream
Age: 0
Connection: close
Server: YTS/1.19.8
MZP.....................@...............................................!..L.!..This program must be run under Win32

Latest VirusTotal is spotty...10/32


Update #1
These .info domains are only up for a few moments it seems...attempting to get these later show unresolved. These have been tagged as ZBOT.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)