Jim Lanton rides a Trojan horse

A recent malware spam takes a new approach to hijacking your computer.

From: Internal Revenue Service [mailto:jim.lanton@irs.com]
Sent: Thursday, July 03, 2008 10:25 AM
To: User@CompanyName.com
Subject: Re: Company report for CompanyName

To : Firstname Lastname

The report is attached.

You need to complete the fields about CompanyName income.

Jim Lanton
IRS Fraud Department

© 2008 Internal Revenue Service All Rights Reserved.

At attachment named “notice_248-849.doc” included an embedded object called “notce.pdf” which was identified as a Trojan downloader by several scanners, including:

  • AntiVir (7.8.0.64, 2008.07.03): TR/Crypt.XDR.Gen
  • F-Prot (4.4.4.56, 2008.07.03): W32/Heuristic-217!Eldorado
  • Microsoft (1.3704, 2008.07.03): TrojanDownloader:Win32/Small.gen!N

While there have been phishing spams before that masquerade as emails from the IRS in the USA or the UK Inland Revenue, this one strikes a raw nerve for the attention to detail.

The email was sent to a friend of mine and addressed him by his full name, not the short form that virtually everyone commonly uses around him, even in business. The name of the company and his email address were capitalized exactly as he normally does it. That is, the company name had capital letter at the beginning of both the first and second words that it’s composed from. The email address was not all lower case, instead both his initials were capitalized on the left hand side of the ‘@’ in the email address and the domain name was capitalized like the company name.

While it’s possible the malware took the name from an address book of an infected machine, I think it’s somewhat unlikely, as I don’t have a single copy of an email from my friend’s address in which he writes is name in the full version used here. Another possibility is that the malware author purchased a commercial address list of businesses. That would be very unusual, though not unheard of.

Specifically targetting companies and their executives could net the scammers high-yield targets, as they are likely to have sensitive information stored on their computers, which Trojan horse software would open up to these criminals.

P.S.: My apologies to Jim Lanton at the IRS. If he really exists, he has nothing to do with this scam. I am just mentioning him in the headline because people might search Google for the name and I want them to find out that what they received was a malware spam.