Contributor: Jeet Morparia
During the last three months, Symantec has observed malicious emails claiming to be from the Income Tax Department of India. There have been at least two types of emails in circulation. While each email differs in its template, the goal is the same: to infect computers with an information-stealing Trojan that logs keystrokes. The Trojan also collects system information such as titles of open windows and the operating system version, which are sent back to the attacker’s command and control (C&C) server.
Two types of fraudulent emails
Symantec Security Response has observed two types of emails masquerading as the Indian Income Tax Department. The most popular type announces that thousands of rupees have been deducted from the recipient’s bank account as a tax payment. The emails also contain an attached file that claims to be a receipt for the payment. The alleged receipts are .zip files that contain information-stealing malware that Symantec detects as Infostealer.Donx.
Figure 1. First type of fraudulent email claims a tax payment has been deducted from the user’s bank account
Figure 2. First type of email also contains an attached file claiming to be a payment receipt
The other type of email we have observed is more detailed than the first. This is because it copies the template of an actual intimation sent by the Income Tax Department. It makes reference to the PAN, or Personal Account Number, which is used to identify taxpayers in India. The attached .zip file is not password-protected. Contrary to what the email claims, the .zip file does not contain a .pdf. Instead, it contains another information-stealing Trojan that Symantec detects as Trojan.Gen.
Figure 3. Second type of fraudulent email uses a template that mimics an email from the Income Tax Department of India
Spoofed domains in all emails
In an effort to make the emails look more convincing, the attackers have spoofed the domain for email addresses belonging to the Income Tax Department of India. Some examples of the email addresses we have seen include:
Our telemetry shows that 43 percent of these malicious scam emails were delivered to users in India, followed by the United States (20 percent), and the United Kingdom (14 percent). We believe that the emails received outside of India are likely linked to the fact that many Indian nationals also reside in other countries.
Figure 4. Majority of emails sent to users in India
Mash-up of source code
Some of the malware distributed in this email scam was coded in Visual Basic. Based on our analysis, we believe the malware contains source code copied from other software, as there is a mixture of source code functions in both Hindi and Spanish languages.
Figure 5. Function names in Hindi and Spanish
How to stay safe
In India, the Income Tax Department does send intimation emails to taxpayers. While these emails include attachments, they are password-protected using the taxpayer's PAN as well as the date of birth for individuals or date of incorporation for non-individuals. This information is unique to each individual or corporation and adds credibility that the source of the email is the Income Tax Department.
Figure 6. Example of a real intimation from the Income Tax Department
Symantec advises caution when receiving unsolicited emails claiming to be from the Income Tax Department of India, or any other tax office for that matter.
If you do receive one of the fraudulent email messages described in this blog, forward the email to email@example.com and firstname.lastname@example.org and delete the message.
Also, follow these best practices:
- Do not open attachments or click on links in suspicious email messages
- Ensure that your computer is fully patched and up to date
- Keep security software up to date with the latest definitions
Symantec's Email Security products block emails associated with this campaign. Norton Security, Symantec Endpoint Protection, and other Symantec security products detect the malicious files used in this campaign as Infostealer.Donx and Trojan.Gen.