Home arrow US-CERT Computer Emergency Readiness Team arrow United States Tax Court Phishing Attack

United States Tax Court Phishing Attack

US-CERT is aware of public reports of a phishing attack circulating via email messages that claim to be petitions from the US Tax Court. These messages appear to be legitimate because they may contain very specific information about the message recipient. The message requests that the user follow a link to download additional information or documents. If a user clicks on this link, the website attempts to use JavaScript to install a bogus root certificate that is supposedly issued by "VeriSign Trust Network." The user will normally receive several warnings when the JavaScript code attempts to install the certificate.

If the certificate installs successfully, the browser is redirected to another page that attempts to install an ActiveX control. The user may be prompted to allow the installation, and because the control is signed, it will appear to be legitimate. However, it is signed by a fake certificate for "Adobe Systems Incorporated," which is trusted by the bogus root certificate previously installed. The ActiveX control is a Browser Helper Object (BHO) that functions as an information stealer. Upon execution, it will attempt to download an update to itself and will then begin reading client certificates, stored passwords, cookies, browsing history, posted form data, and other information.

Public reports indicate that the attack messages have the following attributes:

  • Messages appear to come from the "United State Tax Court." (Note the missing "s" on "State.")
  • The URL within the message appears to link to the "ustax-courts.com" domain.
US-CERT encourages users to do the following to help mitigate the risk:
  • Review the alertalert posted by the United States Tax Court regarding this issue.
  • Do not follow unsolicited web links received in email messages.
  • Refer to the Recognizing and Avoiding Email ScamsRecognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Avoiding Social Engineering and Phishing AttacksAvoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  • Install anti-virus software and keep virus signature files up to date.
  • Pay close attention to warning messages and prompts.

Read more: US-CERT Current Activity