There has been an outburst of malicious emails claiming to be from the Income Tax Department of India in the wild. In conversation with Satnam Narang, Senior Security Response Manager, Symantec, Krishna Bahirwani discusses the emails that mimic tax receipts and contain malicious attachments.
What makes the attacks from these income tax phishing emails different from the others, besides the opportunity that they have exploited?
The cybercriminal has copied the template from a real intimation email sent by the Income Tax Department. None of these emails (sent by scammers) ever ask you for any personal information. They are just simply saying either we took money out of our bank account, for e.g. Rs.90000 or here is your income tax return for the fiscal year, and here is an attachment with the Challan. So both the emails contained the attachments which contained malicious files in them. If you run them, they are key loggers and they sent all that information back to the attackers. So it is not actually requesting any information from you, which I guess is not something that the Indian tax payers know in general.
Is there anything unique about it how they spoofed the addresses because sometimes if you open such emails via Gmail or via a client that has some sort of security built-in, it will tell you that this email is unsafe
Yeah, well I mean well-informed users can tell for sure that it is fake depending on the headers, but to the average user, they are not going to check the headers. They will see it says an email id such as admin@cpc.gov.in and they will believe it is coming from the Income Tax Department. So while the emails we have looked at are being sent to enterprises, it is possible that the consumers using Gmail may be flagged that it is potentially a fraudulent email. Certain email providers may actually flag them based on the headers.
Are enterprise email clients a lot weaker than commercial clients like Gmail, in terms of spam detection of fraudulent senders?
Well, it is hard to say. I mean you know my experience is just Symantec, so we do detect them and that is how we are able to come up with this research, but I mean clearly there are some indicators that this is fraudulent. Certain email clients can be set to restrict attachments like when you say, I don’t want a zip file attachment, you can set those parameters. So really ultimately depends on whoever is administrating that the actual software on the gateway level.
How does India rank in terms of being targeted for this particular income tax related fraud email?
Our telemetry shows that 43 percent of these malicious scam emails were delivered to users in India. It also happens that there are other regions also seeing these emails, so you have the US at about 20%, the UK at about 14%. It makes sense to me with the receiving them outside of India too because of Indian nationals working in another country. However, tax-related criminal activity happens across the globe. UK, Australia, the US we see it everywhere. It was interesting to me because I have never seen anything like this particularly targeting Indians before.
Were you able to tell which country these emails were emerging from?
So I haven’t actually dug into that personally, but some of the malware distributed in this email scam were coded in Visual Basic. Based on our analysis, we believe the malware contains source code copied from other software, as there is a mixture of source code functions in both Hindi and Spanish languages. So clearly the person behind it is not the most sophisticated. They are just piecemealing it together, but regardless of how sophisticated it is, the way that the emails are designed, you know if I send you an email it says Rs.90,000 were deducted from your bank account, clearly you are going to be shocked, surprised and the curiosity might get the best of you and you will actually open that email and then the attachment.
How sophisticated is the keylogger?
It is not. Like I said, it is borrowed code from other pieces of software, and is very crude but at the same time really does not matter how sophisticated it is as long it does the job, which is to siphon off the keyboard strokes and send it back to the attacker.
A lot of clients will download the attachment and then scan it before running it. So would it come up in such a scan? Is that definition been added recently or would it have picked it up anyway?
Well, we have different methods of detecting it and obviously, if it is detected by our antivirus signatures, it will be flagged or if we have some rules in place for the actual mail client, it will detect it there too. So we are definitely catching these and that is why we are able to put out the research that we did.
Would you have caught it even prior to this research or are you not sure about that?
I am not 100% sure, but the ones that I looked at based on my research, yes.
Does it have any stealth features added to it?
I mean obviously, it runs in the background. It is not something that pops and says hey I am a key logger!
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
 "Satnam Narang")
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}