Clickjacking the IRS
If you enter the search term “IRS” on yahoo.com, the first result, unsurprisingly, is the homepage of the Internal Revenue Service. And, you would click on that first result to be brought to the homepage.
I didn’t write the immediately preceding sentence to insult your intelligence. I wrote it because some users, in fact, have not been brought to the IRS homepage, but to somewhere else.
Wired is reporting that seven men have been charged in New York with operating a “clickjacking” scheme in a sixty-two page indictment unsealed today. The indictment states the men infected computers in over 100 countries with malware known as DNSChanger. DNSChanger altered DNS settings on a user’s system, redirecting the system’s browser to a DNS server controlled by the defendants. Then, that DNS server directed the browsers to another web site.
Why infect systems to redirect? For money, of course. Allegedly, the men set up advertising businesses which would receive a commission each time a user visited certain web sites. For example, users of infected systems that clicked on the link to the Internal Revenue Service web site were actually brought to a site for H&R Block. Each time a user visited the H&R Block site, the men were paid. The indictment alleges the men generated $14 million through the scheme.
Trend Micro’s Malware Blog claims we’re witnessing the “biggest cybercriminal takedown in history.” Apparently, over 500,000 machines in the United States were infected, at least 100 of which belong to the National Aeronautics and Space Administration (NASA).
The men face 27 charges, including wire fraud and other computer-related crimes. Six of the seven men have been taken into custody.
In a similar vein, taxgirl tells us about an apparently new IRS e-mail phishing scam. Remember, the IRS *never* asks for taxpayer identification information via e-mail. If you receive such an e-mail, forward it to firstname.lastname@example.org and then immediately delete it.