'Whaling' Scam Targets Execs Via Tax Court Ruse

A new whaling scam -- that's a phishing scam that targets big game -- using a supposed U.S. Tax Court notification as bait has reeled in about 600 victims so far, according to Internet security firm SecureWorks.

The phishing e-mails appear to come from a Chinese hacker also believed to be responsible for a number of attacks earlier this year targeting C-level executives. The previous attacks have purported to be notifications of legal action from a federal court or the Internal Revenue Service and included a link in the body of the e-mail to download documents.

The current attack supposedly is from the U.S. Tax Court, and downloading the phony document actually installs spyware masquerading as an Adobe Acrobat ActiveX control.

Installation of the spyware is facilitated by downloading a root certificate from a phony certificate authority using the VeriSign Trust Network name.

"If the certificate authority is successfully loaded onto the victim's computer, the hacker can more easily re-infect the computer because it will automatically trust the hacker's code," SecureWorks said.

The spyware, which seeks out client certificates for accessing financial accounts, passwords and account information, is known and can be identified by many anti-virus engines. Installing the phony certificate also can generate a series of warnings in the browser, requiring the user to authorize installation.

But the e-mail uses a number of social-engineering techniques to gain the victim's trust. It is addressed to a specific individual, and the message contains information apparently harvested from private databases that might not be readily available to the public, such as direct telephone number and title.

There are clues to the nature of the e-mail, however. It appears to come from the "United State Tax Court," with an "s" missing at the end of "State." The URL in the link to download the supposed document is for "" rather than .gov, which also should be a dead giveaway. Don Jackson, director of threat intelligence for SecureWorks, speculated that the .com domain was used to avoid replies going back to genuine Tax Court servers and quickly alerting them to the scam.

The URL hosting the malware resolves to an address hosted on a server administered by China Network Communication Group in Beijing. The type of Chinese characters used to sign the executable code indicates the compiler probably is from Taiwan or Hong Kong rather than the mainland, Jackson said. He said the author of the attacks apparently has enough experience with the U.S. court system to generate official-looking and -sounding documents, although there are typos.

According to the VeriSign iDefense Security Intelligence Services, about 6,000 of the phishing e-mails have gone out, resulting in about 600 infections. About 120 of those were still transmitting data to the attacker as of Monday.

Keeping anti-virus engines updated can help avoid infection, as can using a browser with anti-phishing protection to identify suspect sites. The scam relies on Internet Explorer functionality, so using another browser will prevent infection. If using the IE browser, do not allow installation of certificates from Web sites, even if the certificate authority appears to be trustworthy. And, for the record, neither the IRS nor the courts send official notices by e-mail.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Azure Active Directory Proxy Service Now Supports SAML Identity

    Microsoft announced on Tuesday that the Azure Active Directory (AD) Proxy service now works with applications that use the Security Assertion Markup Language (SAML) 2.0 for user authentications.

  • How To (Safely) Run Untrusted Applications in Windows 10

    The new Sandbox feature in Windows 10 lets organizations run potentially risky executables in isolation, without having to set up a virtual machine.

  • Office 365 App Activations Getting Streamlined for End Users

    Microsoft plans to ease the Office 365 app installation experience for end users, starting as early as next month, for organizations using some monthly subscription plans, according to a Monday announcement.

  • Nebula

    With $1 Billion Investment, Microsoft Sets Sights on 'Artificial General Intelligence'

    A $1 billion investment from Microsoft promises to turbocharge the efforts of research outfit OpenAI around artificial general intelligence (AGI).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.