copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2011.0109 - ALERT [Win][UNIX/Linux][Mobile] Fake ATO emails claiming "mistakes in filled tax return"

Date: 08 December 2011
References: ESB-2010.0525  ESB-2010.0609  ASB-2011.0077  ESB-2011.1199  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0109
         Fake ATO emails claiming "mistakes in filled tax return"
                              8 December 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Fake ATO emails claiming "mistakes in filled tax return"
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Mobile Device
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2010-1885  
Member content until: Saturday, January  7 2012
Reference:            ASB-2011.0077
                      ESB-2010.0609
                      ESB-2010.0525
                      ESB-2011.1199

OVERVIEW

        AusCERT has received reports, and have observed malicious email 
        messages currently in circulation pretending to be from the Australian 
        Tax Office.


IMPACT

        Some initial processing and analysis of this phishing scam have been 
        performed by AusCERT, and these are our findings at this time.
        
        The URL's included in the phishing scam messages link to malicious web 
        sites, which in some cases include redirects to other malicious sites.
        
        There appears to be some consistency between the many malicious URLs, 
        which seem to exploit the Help Center URL Validation Vulnerability for 
        Windows. (CVE-2010-1885)
        
        The malicious web sites appear to also make reference to 
        flash/Shockwave Flash, Java, Adobe reader and Acrobat.
        
        Currently there is a known exploitable vulnerability that exists for 
        Adobe reader and Acrobat for which a patch currently does not exist 
        (ESB-2011.1199). We're uncertain if this vulnerability is being 
        exploited in this case.
        
        Behaviour of the malicious sites make references to user agents including: 
        "Win", "Mac", "Linux", "FreeBSD", "iPhone", "iPod",  "iPad", "Win. * CE",
        "Win. * Mobile", "Pocket \ s * PC". Android devices are conspicuously 
        missing.
        
        Browser types checked for include: Safari, Chrome, MSIE and Gecko, 
        with ActiveX controls for Flash and possibly Windows media player 
        receiving attention.


DETAILS

        Numerous versions of the phishing email messages have been observed. 
        The email message subject lines generally claim that a mistake has been 
        made with a tax return or form submission, with the sender claiming to 
        be from the ATO. 
        
        Messages have been observed claiming to be from donotreply@ato.gov.au 
        or another sender address ending with ato.gov.au.
        
        Some examples of the phishing message subject lines include:
        
           Incorrectly filled tax return
           Mistakes in your tax form NAT3799 
           Mistakes in your tax return
           Notice regarding your NAT3799 tax form
           Please correct your tax form NAT3799 
           incorrect NAT3799 tax form application
           incorrect completing of your NAT3799 tax form
           incorrect filling of your NAT3799 tax form
           mistakes in your NAT3799 tax form
           wrong filling of your NAT3799 tax form
           Urgent! You filled out your tax form NAT3799 incorrectly!
        
        The body of the phishing message warns of an alleged mistake and 
        requests the reader consult a "tax specialist" by following a malicious 
        URL. For the purposes of social engineering, the final paragraph adds 
        urgency requesting the mistake be fixed "as soon as possible".
        
        AusCERT have compiled this list of malicious URLs used by this 
        phishing scam. While extensive, it is likely not complete.
        
           hxxp://combijump.com/main.php?page=868080e446e2a8b2
           hxxp://denverdm.com/1c0ef2/index.html
           hxxp://denverdm.com/2c34b6/index.html
           hxxp://denverdm.com/2c5f9e/index.html
           hxxp://denverdm.com/a76254/index.html
           hxxp://denverdm.com/c15652/index.html
           hxxp://denverdm.com/f4ef53/index.html
           hxxp://diguniverse.com/449d24/index.html
           hxxp://diguniverse.com/840abd/index.html
           hxxp://diguniverse.com/a9aee3/index.html
           hxxp://diguniverse.com/b91916/index.html
           hxxp://diguniverse.com/bcea54/index.html
           hxxp://diguniverse.com/c82b81/index.html
           hxxp://interanaliz.info/1598ce/index.html
           hxxp://interanaliz.info/cb17a5/index.html
           hxxp://l001u18bucb.maximumasp.com/jjquery.js
           hxxp://lottocarpets.com/jjquery.js
           hxxp://lucid.co.kr/jjquery.js
           hxxp://mestanli.net/3e7ca6/index.html
           hxxp://mestanli.net/b3ac13/index.html
           hxxp://mortgage-colorado.net/368acc/index.html
           hxxp://mortgage-colorado.net/4aa438/index.html
           hxxp://mortgage-colorado.net/6b8ca5/index.html
           hxxp://mortgage-colorado.net/89209f/index.html
           hxxp://mortgage-colorado.net/adf563/index.html
           hxxp://mortgage-colorado.net/db5b5c/index.html
           hxxp://motolens.com/12a42d/index.html
           hxxp://motolens.com/2a2cb3/index.html
           hxxp://motolens.com/78ad6d/index.html
           hxxp://motolens.com/ca8c20/index.html
           hxxp://motolens.com/cb71b2/index.html
           hxxp://provsat.co.cc/07f2a9/index.html
           hxxp://provsat.co.cc/ffe14e/index.html
           hxxp://sabaranet.com.br/66acba/index.html
           hxxp://sabaranet.com.br/8062b0/index.html
           hxxp://sabaranet.com.br/90d5e9/index.html
           hxxp://sabaranet.com.br/9aade3/index.html
           hxxp://sabrosorestaurant.com.ve/4216f0/index.html
           hxxp://sabrosorestaurant.com.ve/5e5c27/index.html
           hxxp://sabrosorestaurant.com.ve/bdd1af/index.html
           hxxp://sabslimo.com/322e1c/index.html
           hxxp://sabslimo.com/9d073f/index.html
           hxxp://sabslimo.com/bfc220/index.html
           hxxp://sabslimo.com/da14e7/index.html
           hxxp://sabslimo.com/f1bb24/index.html
           hxxp://sadique.99k.org/1fb01f/index.html
           hxxp://sadique.99k.org/abb57e/index.html
           hxxp://sadique.99k.org/e7b0a9/index.html
           hxxp://sadique.99k.org/fb855a/index.html
           hxxp://safeguardinvestment.com/0e8411/index.html
           hxxp://Safeguardinvestment.com/0e8411/index.html
           hxxp://Safeguardinvestment.com/275e19/index.html
           hxxp://Safeguardinvestment.com/77af3a/index.html
           hxxp://safeguardinvestment.com/97503d/index.html
           hxxp://Safeguardinvestment.com/97503d/index.html
           hxxp://Safeguardinvestment.com/b32a12/index.html
           hxxp://Safeguardinvestment.com/e103b3/index.html
           hxxp://saffronspringspa.com/00544f/index.html
           hxxp://saffronspringspa.com/169bdb/index.html
           hxxp://saffronspringspa.com/19de86/index.html
           hxxp://saffronspringspa.com/1fd10f/index.html
           hxxp://saffronspringspa.com/5ad96d/index.html
           hxxp://saffronspringspa.com/70549f/index.html
           hxxp://saffronspringspa.com/a9c149/index.html
           hxxp://saffronspringspa.com/eeb69d/index.html
           hxxp://saffronspringspa.com/fa053c/index.html
           hxxp://salamancapasion.com/492ca9/index.html
           hxxp://salamancapasion.com/6770ef/index.html
           hxxp://salamancapasion.com/6994d5/index.html
           hxxp://salamancapasion.com/aaa4ab/index.html
           hxxp://salosti.com/072701/index.html
           hxxp://salosti.com/3c3f1f/index.html
           hxxp://salosti.com/d93429/index.html
           hxxp://samsungsoa.co.kr/092d4c/index.html
           hxxp://samsungsoa.co.kr/6f5228/index.html
           hxxp://samsungsoa.co.kr/717ee1/index.html
           hxxp://samsungsoa.co.kr/7b6415/index.html
           hxxp://samsungsoa.co.kr/c0c201/index.html
           hxxp://samsungsoa.co.kr/da6662/index.html
           hxxp://sandbox.codewerken.com/0c9352/index.html
           hxxp://sandbox.codewerken.com/27bddd/index.html
           hxxp://sandbox.codewerken.com/59f3ed/index.html
           hxxp://sandbox.codewerken.com/bcf962/index.html
           hxxp://sandbox.codewerken.com/c54df1/index.html
           hxxp://sandbox.codewerken.com/eae88e/index.html
           hxxp://sanddollartitle.com/4d39df/index.html
           hxxp://sanddollartitle.com/9ad17c/index.html
           hxxp://sanddollartitle.com/e23bbf/index.html
           hxxp://sanddollartitle.com/edb2a6/index.html
           hxxp://sanddollartitle.com/f26425/index.html
           hxxp://sandervanarnhem.nl/778061/index.html
           hxxp://sandervanarnhem.nl/b0ce54/index.html
           hxxp://sandervanarnhem.nl/e2c07f/index.html
           hxxp://sandervanarnhem.nl/ed3a37/index.html
           hxxp://sanisidroalicante.puperico.com/0d437c/index.html
           hxxp://sanisidroalicante.puperico.com/33fb67/index.html
           hxxp://sanisidroalicante.puperico.com/64714b/index.html
           hxxp://sanisidroalicante.puperico.com/71538e/index.html
           hxxp://sanisidroalicante.puperico.com/7d7e75/index.html
           hxxp://sanisidroalicante.puperico.com/ab62a4/index.html
           hxxp://sapatpmu.com/504c5e/index.htm
           hxxp://sapatpmu.com/504c5e/index.html
           hxxp://sapatpmu.com/7d2c02/index.html
           hxxp://sapatpmu.com/f1d101/index.html
           hxxp://sapatpmu.com/f37649/index.html
           hxxp://saporiregionali.it/3967c0/index.html
           hxxp://saporiregionali.it/8b298f/index.html
           hxxp://saporiregionali.it/aed94c/index.html
           hxxp://sukablyatimes.com/main.php?page=43842ba0d45a9da3
           hxxp://www.grantsspectrum.com.au/images/ato.jpg
           hxxp://www.manljuskoar.nl/jjquery.js


MITIGATION

        The following are some mitigation strategies:
        
           * Check your spam solution to see that it's blocking the phishing 
             messages in question.
        
           * Monitor or block the malicious URLs
        
           * Make sure your Operating System and applications are fully patched. 
        
           * Be sure to be running up to date AntiVirus software.
        
           * Disable Javascript on web browsers & mail clients or use a properly 
             configured NoScript plug-in for Firefox or equivalent for other web 
             browsers.


REFERENCES

        [1] CVE-2010-1885
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885

        [2] ESB-2011.1199
            http://www.auscert.org.au/render.html?it=15160

        [3] Wepawet Analysis of malicious site
            http://wepawet.iseclab.org/view.php?hash=262835d8006824f3e9224ffeebd05b50&t=1323302816&type=js

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTuApdO4yVqjM2NGpAQJoFxAAhXYqJvPhmgqQ0KDb2Nw4w/4XKLeYuYQr
llYzdnJmPV+X6HIz2N0d6Mmnb88+UFbK9kHMD0V//yUSn2XvyrxFQmO0yBRVMsOE
2x8ulDS3Vl6mMPbtjbSIdeXLL46OLD62QZ7kBcHGBkMrtjX+2mzVw9WRd8ppvX5h
BbjczSXsRcibJ5D8dpNvHC9Ml4n48fjv5YB7NJoqWMotETUpbBYDuPmRQnfmo5f6
QW4Ao1de18sWCeBgHqrnp8tz37j3eiiO5T7sWXGVVAQbX8ZNPoo4ODRr8IRyPEoB
KL2FaDC4ivxHYHEZetZ+Raz453VShnonIrjOOQ88QfRtik15S7o5/ZJTM2gsuDtZ
BlQaE4zr5BH5MhhbNjmEoxJMgcyWOTH1tGER92CTy2ChwmQeJtEoWia6Ybua5NRs
ffqM41U5mHOnXXekH02emAl1Gt5MfWryoXARlbh92/qT8BttZFY+ypHJy5+4jzRj
Fu1UBjXTcHHSEhTMWWQIan7DjdXWlwHvooyAS/CPmKrUfklN6koOfwomT2Plikn2
FZtgDp4LGVdJuHwaOxVE4F8OrGlzbyifmsZXufFWOWG6dLkKkiiVQPDp9l1bxth9
QkHoA8URXaGIuba7xcTzLvfaKDQNIk/so71QTBDtDYTQuYt/iUigJI06RAKswuGZ
iPhM6muncQU=
=eCCj
-----END PGP SIGNATURE-----