Date: 08 December 2011
References: ESB-2010.0525 ESB-2010.0609 ASB-2011.0077 ESB-2011.1199
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2011.0109
Fake ATO emails claiming "mistakes in filled tax return"
8 December 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Fake ATO emails claiming "mistakes in filled tax return"
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2010-1885
Member content until: Saturday, January 7 2012
Reference: ASB-2011.0077
ESB-2010.0609
ESB-2010.0525
ESB-2011.1199
OVERVIEW
AusCERT has received reports, and have observed malicious email
messages currently in circulation pretending to be from the Australian
Tax Office.
IMPACT
Some initial processing and analysis of this phishing scam have been
performed by AusCERT, and these are our findings at this time.
The URL's included in the phishing scam messages link to malicious web
sites, which in some cases include redirects to other malicious sites.
There appears to be some consistency between the many malicious URLs,
which seem to exploit the Help Center URL Validation Vulnerability for
Windows. (CVE-2010-1885)
The malicious web sites appear to also make reference to
flash/Shockwave Flash, Java, Adobe reader and Acrobat.
Currently there is a known exploitable vulnerability that exists for
Adobe reader and Acrobat for which a patch currently does not exist
(ESB-2011.1199). We're uncertain if this vulnerability is being
exploited in this case.
Behaviour of the malicious sites make references to user agents including:
"Win", "Mac", "Linux", "FreeBSD", "iPhone", "iPod", "iPad", "Win. * CE",
"Win. * Mobile", "Pocket \ s * PC". Android devices are conspicuously
missing.
Browser types checked for include: Safari, Chrome, MSIE and Gecko,
with ActiveX controls for Flash and possibly Windows media player
receiving attention.
DETAILS
Numerous versions of the phishing email messages have been observed.
The email message subject lines generally claim that a mistake has been
made with a tax return or form submission, with the sender claiming to
be from the ATO.
Messages have been observed claiming to be from donotreply@ato.gov.au
or another sender address ending with ato.gov.au.
Some examples of the phishing message subject lines include:
Incorrectly filled tax return
Mistakes in your tax form NAT3799
Mistakes in your tax return
Notice regarding your NAT3799 tax form
Please correct your tax form NAT3799
incorrect NAT3799 tax form application
incorrect completing of your NAT3799 tax form
incorrect filling of your NAT3799 tax form
mistakes in your NAT3799 tax form
wrong filling of your NAT3799 tax form
Urgent! You filled out your tax form NAT3799 incorrectly!
The body of the phishing message warns of an alleged mistake and
requests the reader consult a "tax specialist" by following a malicious
URL. For the purposes of social engineering, the final paragraph adds
urgency requesting the mistake be fixed "as soon as possible".
AusCERT have compiled this list of malicious URLs used by this
phishing scam. While extensive, it is likely not complete.
hxxp://combijump.com/main.php?page=868080e446e2a8b2
hxxp://denverdm.com/1c0ef2/index.html
hxxp://denverdm.com/2c34b6/index.html
hxxp://denverdm.com/2c5f9e/index.html
hxxp://denverdm.com/a76254/index.html
hxxp://denverdm.com/c15652/index.html
hxxp://denverdm.com/f4ef53/index.html
hxxp://diguniverse.com/449d24/index.html
hxxp://diguniverse.com/840abd/index.html
hxxp://diguniverse.com/a9aee3/index.html
hxxp://diguniverse.com/b91916/index.html
hxxp://diguniverse.com/bcea54/index.html
hxxp://diguniverse.com/c82b81/index.html
hxxp://interanaliz.info/1598ce/index.html
hxxp://interanaliz.info/cb17a5/index.html
hxxp://l001u18bucb.maximumasp.com/jjquery.js
hxxp://lottocarpets.com/jjquery.js
hxxp://lucid.co.kr/jjquery.js
hxxp://mestanli.net/3e7ca6/index.html
hxxp://mestanli.net/b3ac13/index.html
hxxp://mortgage-colorado.net/368acc/index.html
hxxp://mortgage-colorado.net/4aa438/index.html
hxxp://mortgage-colorado.net/6b8ca5/index.html
hxxp://mortgage-colorado.net/89209f/index.html
hxxp://mortgage-colorado.net/adf563/index.html
hxxp://mortgage-colorado.net/db5b5c/index.html
hxxp://motolens.com/12a42d/index.html
hxxp://motolens.com/2a2cb3/index.html
hxxp://motolens.com/78ad6d/index.html
hxxp://motolens.com/ca8c20/index.html
hxxp://motolens.com/cb71b2/index.html
hxxp://provsat.co.cc/07f2a9/index.html
hxxp://provsat.co.cc/ffe14e/index.html
hxxp://sabaranet.com.br/66acba/index.html
hxxp://sabaranet.com.br/8062b0/index.html
hxxp://sabaranet.com.br/90d5e9/index.html
hxxp://sabaranet.com.br/9aade3/index.html
hxxp://sabrosorestaurant.com.ve/4216f0/index.html
hxxp://sabrosorestaurant.com.ve/5e5c27/index.html
hxxp://sabrosorestaurant.com.ve/bdd1af/index.html
hxxp://sabslimo.com/322e1c/index.html
hxxp://sabslimo.com/9d073f/index.html
hxxp://sabslimo.com/bfc220/index.html
hxxp://sabslimo.com/da14e7/index.html
hxxp://sabslimo.com/f1bb24/index.html
hxxp://sadique.99k.org/1fb01f/index.html
hxxp://sadique.99k.org/abb57e/index.html
hxxp://sadique.99k.org/e7b0a9/index.html
hxxp://sadique.99k.org/fb855a/index.html
hxxp://safeguardinvestment.com/0e8411/index.html
hxxp://Safeguardinvestment.com/0e8411/index.html
hxxp://Safeguardinvestment.com/275e19/index.html
hxxp://Safeguardinvestment.com/77af3a/index.html
hxxp://safeguardinvestment.com/97503d/index.html
hxxp://Safeguardinvestment.com/97503d/index.html
hxxp://Safeguardinvestment.com/b32a12/index.html
hxxp://Safeguardinvestment.com/e103b3/index.html
hxxp://saffronspringspa.com/00544f/index.html
hxxp://saffronspringspa.com/169bdb/index.html
hxxp://saffronspringspa.com/19de86/index.html
hxxp://saffronspringspa.com/1fd10f/index.html
hxxp://saffronspringspa.com/5ad96d/index.html
hxxp://saffronspringspa.com/70549f/index.html
hxxp://saffronspringspa.com/a9c149/index.html
hxxp://saffronspringspa.com/eeb69d/index.html
hxxp://saffronspringspa.com/fa053c/index.html
hxxp://salamancapasion.com/492ca9/index.html
hxxp://salamancapasion.com/6770ef/index.html
hxxp://salamancapasion.com/6994d5/index.html
hxxp://salamancapasion.com/aaa4ab/index.html
hxxp://salosti.com/072701/index.html
hxxp://salosti.com/3c3f1f/index.html
hxxp://salosti.com/d93429/index.html
hxxp://samsungsoa.co.kr/092d4c/index.html
hxxp://samsungsoa.co.kr/6f5228/index.html
hxxp://samsungsoa.co.kr/717ee1/index.html
hxxp://samsungsoa.co.kr/7b6415/index.html
hxxp://samsungsoa.co.kr/c0c201/index.html
hxxp://samsungsoa.co.kr/da6662/index.html
hxxp://sandbox.codewerken.com/0c9352/index.html
hxxp://sandbox.codewerken.com/27bddd/index.html
hxxp://sandbox.codewerken.com/59f3ed/index.html
hxxp://sandbox.codewerken.com/bcf962/index.html
hxxp://sandbox.codewerken.com/c54df1/index.html
hxxp://sandbox.codewerken.com/eae88e/index.html
hxxp://sanddollartitle.com/4d39df/index.html
hxxp://sanddollartitle.com/9ad17c/index.html
hxxp://sanddollartitle.com/e23bbf/index.html
hxxp://sanddollartitle.com/edb2a6/index.html
hxxp://sanddollartitle.com/f26425/index.html
hxxp://sandervanarnhem.nl/778061/index.html
hxxp://sandervanarnhem.nl/b0ce54/index.html
hxxp://sandervanarnhem.nl/e2c07f/index.html
hxxp://sandervanarnhem.nl/ed3a37/index.html
hxxp://sanisidroalicante.puperico.com/0d437c/index.html
hxxp://sanisidroalicante.puperico.com/33fb67/index.html
hxxp://sanisidroalicante.puperico.com/64714b/index.html
hxxp://sanisidroalicante.puperico.com/71538e/index.html
hxxp://sanisidroalicante.puperico.com/7d7e75/index.html
hxxp://sanisidroalicante.puperico.com/ab62a4/index.html
hxxp://sapatpmu.com/504c5e/index.htm
hxxp://sapatpmu.com/504c5e/index.html
hxxp://sapatpmu.com/7d2c02/index.html
hxxp://sapatpmu.com/f1d101/index.html
hxxp://sapatpmu.com/f37649/index.html
hxxp://saporiregionali.it/3967c0/index.html
hxxp://saporiregionali.it/8b298f/index.html
hxxp://saporiregionali.it/aed94c/index.html
hxxp://sukablyatimes.com/main.php?page=43842ba0d45a9da3
hxxp://www.grantsspectrum.com.au/images/ato.jpg
hxxp://www.manljuskoar.nl/jjquery.js
MITIGATION
The following are some mitigation strategies:
* Check your spam solution to see that it's blocking the phishing
messages in question.
* Monitor or block the malicious URLs
* Make sure your Operating System and applications are fully patched.
* Be sure to be running up to date AntiVirus software.
* Disable Javascript on web browsers & mail clients or use a properly
configured NoScript plug-in for Firefox or equivalent for other web
browsers.
REFERENCES
[1] CVE-2010-1885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885
[2] ESB-2011.1199
http://www.auscert.org.au/render.html?it=15160
[3] Wepawet Analysis of malicious site
http://wepawet.iseclab.org/view.php?hash=262835d8006824f3e9224ffeebd05b50&t=1323302816&type=js
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTuApdO4yVqjM2NGpAQJoFxAAhXYqJvPhmgqQ0KDb2Nw4w/4XKLeYuYQr
llYzdnJmPV+X6HIz2N0d6Mmnb88+UFbK9kHMD0V//yUSn2XvyrxFQmO0yBRVMsOE
2x8ulDS3Vl6mMPbtjbSIdeXLL46OLD62QZ7kBcHGBkMrtjX+2mzVw9WRd8ppvX5h
BbjczSXsRcibJ5D8dpNvHC9Ml4n48fjv5YB7NJoqWMotETUpbBYDuPmRQnfmo5f6
QW4Ao1de18sWCeBgHqrnp8tz37j3eiiO5T7sWXGVVAQbX8ZNPoo4ODRr8IRyPEoB
KL2FaDC4ivxHYHEZetZ+Raz453VShnonIrjOOQ88QfRtik15S7o5/ZJTM2gsuDtZ
BlQaE4zr5BH5MhhbNjmEoxJMgcyWOTH1tGER92CTy2ChwmQeJtEoWia6Ybua5NRs
ffqM41U5mHOnXXekH02emAl1Gt5MfWryoXARlbh92/qT8BttZFY+ypHJy5+4jzRj
Fu1UBjXTcHHSEhTMWWQIan7DjdXWlwHvooyAS/CPmKrUfklN6koOfwomT2Plikn2
FZtgDp4LGVdJuHwaOxVE4F8OrGlzbyifmsZXufFWOWG6dLkKkiiVQPDp9l1bxth9
QkHoA8URXaGIuba7xcTzLvfaKDQNIk/so71QTBDtDYTQuYt/iUigJI06RAKswuGZ
iPhM6muncQU=
=eCCj
-----END PGP SIGNATURE-----
|