Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Soon to come: IRS Spam - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Soon to come: IRS Spam

Our friends at iDefense/Verisign shared a template with us for a new IRS phishing e-mail which they expect to be mail out soon (today). The template looks like it will be sent as a multipart mime encoded email with plain text and html part.

The '%' keywords in the template will be replaced with customized content. Expect URL like this to be used:

note that the directory starts with a '.' in order to hide it on compromised unix systems. Another common directory name is '.bbb'. file names to expect are b.php,, update.exe


Here is the top part of the template:

From=IRS e-file <>
Reply-To=IRS e-file <>
Subject=Known e-file Issues and Solutions (2007 tax year), for %comp%!

Binary Attachments


It has come to the attention of the IRS Modernized e-File office that
some transmitters/software developers/return originators are creating
binary files incorrectly. In some instances, the IRS was unable to
display the PDF document because of improper formatting.
Effective immediately, please ensure that binary attachments are created
according to the PDF standards in this correspondence.
The internal identifier (first five bytes of the file) must be the
standard PDF identifier, "%PDF-".
Please download the correct PDF form for your business needs here:




I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Oct 30th 2007

Sign Up for Free or Log In to start participating in the conversation!