We are still seeing malicious emails from a campaign that was begun several weeks ago by the Pushdo botnet. The emails pretend to come from the IRS and ask that you review your tax statement on the IRS website, a link to which is provided.
The URLs linked to in these emails all have the format 'http://www.irs.gov.[host domain]/fraud_application/directory/statement.php?'. So far in our TRACEnet system we have seen over 300 domains being used to host these websites.
The link takes you to the website below which asks you to download and execute a program in order to review your tax statement.
The executable file that we downloaded was not detected by most anti-virus programs. When run it installs the Zbot Trojan horse which steals information from a victims' PC.
MailMarshal customers, and WebMarshal 6.5 customers with TRACEnet, are protected from this campaign with the latest updates.
