Tax Spam Malware Warning

The spam filters are currently working overtime catching dubious email messages about tax payments having failed. As you might expect, this is a Tax Spam Malware Warning, so take care before opening anything that tells you that Your Tax Payment failed.

This email, which purports to be from US tax payment service Electronic Federal Tax Payment System (EFTPS), claims that the recipient’s tax payment has been rejected due to a submission error. The message, which includes a sender address and link that are seemingly valid EFTPS addresses, asks the recipient to click a link in order to review details about the error.

Obviously the email is not from the EFTPS, and the link in the message has been disguised so that it appears to point to the genuine EFTPS website. In fact, it is a phishing scam designed to steal personal information from recipients. A sample of the email appear below:

Your Tax Payment ID [random number] is failed

Your Federal Tax Payment ID: 32127292 has been rejected.
Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.

Please, check the information to get details about your company payment in transaction contacts section:

attach name = report.18653.pdf

In other way forward information to your accountant adviser.
EFTPS:
The Electronic Federal Tax Payment System
PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.

Attempting to open the attached file will result in a malware loader executing. This is detected by Sophos Anti-Virus as ‘Virus/Spyware Mal/FakeAV-OQ.

The gramatical errors should give you a clue to the bogus source of this Tax Spam Malware. Do not click on any links in this email or download any attachments. Flag as spam and press delete!

Block Spam from WordPress Contact Page

Have you been having trouble with Spam from your Contact Page on your WordPress blog? This is a quick way to Block Spam from a WordPress Contact Page.

Every good website has a Contact page to ensure that users can get questions answers, and customers can engage before buying goods and services. The trouble is that every bad robot spider trawling the web knows that too, and targets input forms and contact pages. Pretty soon after putting your Contact Page live you can expect to start receiving emails about Viagra, poorly crafted meaningless comments containing back links, or just random strings of characters. While the delete key handles these things quickly and efficiently, the net effect is to dilute our energy which should be directed a answering the real questions from our customers. What we need is a better solution.

What Stops The Bots?
To stop the spiders from even posting the contact form we need to install a WordPress CAPTCHA plugin. A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used to ensure that the response is not generated by a computer or Bot. It can be as simple as identifying if a picture of an animal is a cat or a dog, which is easy for a human, but a challenge for a Bot. The most common forms use distorted images of letters and numbers, which the human eye can easily distinguish due to pattern matching capabilities within our brains. Go humans!

How To Block Spam from a WordPress Contact Page
If you are using the Contact Form 7 plugin, there is a Really Simple CAPTCHA plugin which integrates right in to the Contact Form 7. While not strongly secure, it will at least stop the script kiddies and bots having an open door. To install it carry out the following steps:

  • In the Plugins section of the Dashboard, click on Add New
  • Search for plugins by keyword Term Really Simple CAPTCHA
  • Next to Really Simple CAPTCHA, click on Install Now

What Else Can Block Spam
If the Really Simple CAPTCHA plugin does not meet the requirements, there are a number of other measures we can use to block Spam from WordPress contact pages, including:

  • Secure CAPTCHA, which uses hard to break and easy to read secure CAPTCHA images from SecureCAPTCHA.net.
  • Contact Form by ContactMe.com, which is a fully customizable contact form which automatically adds your contacts to a free online contacts database.
  • Fast Secure Contact Form which supports sending mail to multiple departments, and redirects to any URL after the message is sent.

Hopefully using one of these methods we can see the back of spam contacts from the contacts page, and get back to the business of responding to or customers and genuine visitors.

Finally, some useful Resources to help block Spam from a WordPress Contact Page

ACH Spam With Malware Attachment

The spam filters have been busy over the last couple of days, with a number of Emails with the title of ACH NOTIFICATION and ACH Payment [Number] Rejected. In each case the email contains an attachment purporting to be a self extracting PDF file.

Of course, on closer examination the supposed self extracting PDF file is a malware down-loader, no doubt ready and waiting to connect you to one or more bot nets. This is a common scenario with a spammed-out trojan down-loader triggering the execution of multiple pieces of malware on the unwitting user’s computer. In this case, Sophos anti virus detects the file and identifies it as Mal/BredoZp-B. For a detailed analysis of the activities of the spam payload, see the article on the ACH spam campaign by M86 security labs via the link below.

Automated Clearing House (ACH) is an electronic network for financial transactions in the United States. As usual with this type of spam and associated malware, ACH have no connection with the email, so there is little point in blocking the sender’s address, in our case ach.01 at nacha.org.

Once again our advice is that you should not open any unexpected emails, or unsolicited attachments, as in this case it will attempt to infect your Windows computer. Just press delete and double check that your anti-virus software is up to date.

Resources relating to ACH Spam With Malware Attachment:

Uniform Traffic Ticket Malware Spam

If you live anywhere except the City of New York you may have been surprised to receive an email recently, which claims to come from the New York State Department of Motor Vehicles. Even if you aren’t based in the United States, or even don’t drive a car, you may well see the posting which poses as a “Uniform Traffic Ticket” and says that you are charged with speeding at 7:25 AM on the 5th July 2011.

People may be tempted to open the attachment out of curiosity, or even alarm if they have been driving in New York City, but do not, or you may end up with a computer infected with malware.

However, the message is certainly not from New York State Police and the attachment does not contain a speeding ticket. In fact, the attachment contains a trojan that, if opened, can install itself on the user’s computer. Typically, such trojans are able to contact a remote server and download further malware that can steal information from the infected computer and allow criminals to control it from afar.

The email sender address has been reported as automailer.nnn, no-reply.nnn and info.nnn, all purportedly at nyc.gov. It goes without saying that the New York State Police and the New York State Department of Motor Vehicles have nothing to do with this email, and this should be treated as all Viruses and Spyware. The New York State Police Computer Crime Unit has issued a Hoax E-mail Alert dealing with the Uniform Traffic Ticket Malware Spam.

The attached file, which is called something like Ticket-O64-211.zip, Ticket-728-2011.zip, or just Ticket.zip, is designed to download further malicious code onto your computer and compromise your security. Sophos anti-virus products detect the malware payload as Mal/ChepVil-A, while the CyberCrime & Doing Time Blog identifies that the malware connects to a Russian domain and downloads files called “/ftp/g.php” and “pusk3.exe”.

The Uniform Traffic Ticket Malware Spam email is probably the work of a Botnet, which is a group of computers infected with malicious software and controlled as a group without the owners’ knowledge. The network of private computers, sometimes known as zombies or robots, run autonomously and automatically to send out spam emails to encourage users to open virus or Trojan infected attachments. This means that it is pointless blocking the sender, as the sender address is forged, and unrelated to the actual computer used to send the email.

We recommend that you delete the e-mail it and not forward it to anyone else. Make sure that you have active anti-virus software, and have your firewall switched on. Of course you should only open e-mails from familiar and trusted sources; if you really have been speeding in New York City, the New York State Department of Motor Vehicles will certainly find a way to let you know!

For further information on this subject:

Dealing with Comment Spammers in WordPress

If you’ve been on the internet for any amount of time you’re probably familiar with “spam” in your email inbox. For the uninitiated, spam is an unsolicited commercial message trying to sell you something. Some of this is generated by botnets, groups of hijacked PCs which are working secretly for a botnet controller, sending unsolicited mail using the mailbox of unsuspecting PC owners, or probing websites for security vulnerabilities. Other spam is posted by people who have nothing better to do.

So what does this have to do with WordPress blogs? Well just like you can get spam messages in your inbox, people will leave spam comments on your blog. Unlike email spam, where the target is you, in an attempt to get you to buy something, comment spam generally targets search engines like Google or Yahoo! trying to increase the PageRank of a website.

You are probably aware that Larry Page and Sergey Brin of Google pioneered a search technique called PageRank. Basically what it does is, in addition to looking at the content of a page they index, they also look at who links to a page and what that link says. This technology is what made Google very good at returning relevant results, and made it the most popular search engine today. So why on earth would a spammer target a search engine through your WordPress blog? Simples! As Aleksandr Orlov the meerkat would say!

By posting a comment on your blog with a back-link to the site they are promoting, they hope to cash in on the PageRank of your site and so increase the ranking of the target site. With hundreds of bots in a botnet, all probing for open comments on WordPress blogs, they could theoretically get to the top of Google search listings for a targeted key phrase. What is possibly more annoying for the webmaster of a spammed blog, linking to a site which is identified by Google as a problem site, could damage the PageRank of the blog which has been spammed. This comment spam or link spam as it is known can be the bane of a popular WordPress blog.

So how do you avoid getting spammed by the comment spammers? Try the following simple tips:

  • Activate the Akismet wordpress plugin
  • Install a CAPTCHA (Completely Automated Public Turing-test to tell Computers and Humans Apart) on your comment form
  • Set Discussion Settings to An administrator must always approve the comment

If you are up to editing your web server system files, you can also block the IP address of frequent spammers if you find that a few IP’s are constantly sending comment spam. The easiest way to get rid of these spamers is by blocking their IP address using .htaccess method; adding the following to your .htaccess file:

<limit GET POST>
order allow,deny
deny from xx.xxx.xxx.001
deny from xx.xxx.xxx.002
deny from xx.xxx.xxx.009
allow from all
</limit>

You can list as many sites as you like in the list, putting each one on a new line as above.

By the way Spammers, posting spam to comments on this site will get you an entry on the Google spam report at https://www.google.com/webmasters/tools/spamreport, as we use Google Webmaster Tools. As we moderate every comment before it is posted on the site, link-spam will never see the light of day, so you are just wasting your life.

For legitamate ways to increase the PageRank of your homepage, see our earlier post on the subject entitled Improving Your Search Engine Results

If you are interested in even more imaginative ways to fight link spam, check out Conversation With An Idiot Link Broker, from Danny Sullivan at Search Engine Land! Click here to read Conversation With An Idiot Link Broker