Computerworld

Feds called in over Trojan tax scam

E-mail scammers have shifted their sights from a staple diet of banks, betting shops and auction sites to government agencies, with the Australian Taxation Office (ATO) calling in Australian Federal Police over a spam deluge that tries to send taxpayers to Trojan-infected Web sites.

A spokesperson for the ATO today confirmed the spam outbreak illegally circulating under the ATO's moniker, saying both the e-mails and associated Web sites were presently under investigation by both AFP and the tax office's own internal forensics and computer investigations unit.

The ATO spokesperson also confirmed some of the scam e-mails directed unwitting recipients to an Australian-hosted Web site which appears to have since been shifted overseas, thus muddying legal jurisdictions.

The spokesperson added the ATO would be taking action imminently to educate customers about the scam and general e-security best practice. The ATO is also removing any embedded links from any outbound ATO e-mails.

In terms of appearance, the e-mail plagiarizes the newly standardized Australian Government graphic - clearly lifted from the ATO's own Web material - and invites victims to "View your BAS payment details and activity statement deadlines", courtesy of an embedded link.

The embedded link then redirects users to a free-hosting site, which then attempts to load both a Trojan and a keystroke logger onto the user's machine. Unsurprisingly, antispam and antivirus vendors are making fast marketing mileage out of the latest outbreak. So far Surf Control is claiming to be the first to detect the scam.

Surf Control's Australian managing director Charles Heunemann described the combined spam and Trojan as "very clever", but warned it also represented the first wave of a new breed of e-mail scams targeting the government sector.

"We haven't seen a phishing scam like this before. It's like a war-dial on [Australian domain addresses]. Every single person is a client of the ATO whether they like it or not. They [the phishers] can cast a very wide net," Heunemann said.

Heunemann added the current exploit is "very similar" to an earlier exploit which Surf Control first believed it to be... "but it is a newer variant which doesn't seem to have a patch available. We recommend that users either disable ActiveX or select a high security setting in Internet Explorer.

For their part, government agencies say they have seen similar scams come and go recently. One senior law enforcement source told Computerworld even the Australian Federal Police e-mail domain had been spoofed by unscrupulous persons.

"It was headed 'You are being investigated'. We've seen a few of them," the source said.