US-Computer Emergency Readiness Team (CERT) is aware of public reports of a phishing attack circulating via email messages that claim to be petitions from the US Tax Court. These messages appear to be legitimate because they may contain very specific information about the message recipient. The message requests that the user follow a link to download additional information or documents. If a user clicks on this link, the website attempts to use JavaScript to install a bogus root certificate that is supposedly issued by "VeriSign Trust Network." The user will normally receive several warnings when the JavaScript code attempts to install the
certificate.
If the certificate installs successfully, the browser is redirected to
another page that attempts to install an ActiveX control. The user may
be prompted to allow the installation, and because the control is
signed, it will appear to be legitimate. However, it is signed by a
fake certificate for "Adobe Systems Incorporated," which is trusted by
the bogus root certificate previously installed. The ActiveX control
is a Browser Helper Object (BHO) that functions as an information
stealer. Upon execution, it will attempt to download an update to
itself and will then begin reading client certificates, stored
passwords, cookies, browsing history, posted form data, and other
information.
Public reports indicate that the attack messages have the following
attributes:
* Messages appear to come from the "United State Tax Court." (Note
the missing "s" on "State.")
* The URL within the message appears to link to the
"ustax-courts.com" domain.
US-CERT encourages users to do the following to help mitigate the
risk:
* Review the alert posted by the United States Tax Court regarding
this issue.
* Do not follow unsolicited web links received in email messages.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.
* Install anti-virus software and keep virus signature files up to
date.
* Pay close attention to warning messages and prompts.
This announcement was excerpted from the US-CERT website.