Today we noticed some unusual looking messages claiming to be from the the Electronic Federal Tax Payment System (EFTPS). Spam with a tax theme always piques our curiosity, so we took a closer look.
All the URL links follow the format www.eftpsgovID[xxxxx].com/contacts where x is a series of digits. Clicking on the link instructs the browser to download the contacts page, which includes some dense obfuscated JavaScript:
De-obfuscating the script reveals code that attempts to exploit a known Java vulnerability (Java WebStart Arbitrary Command Line Injection).
Following the exploit attempt, the browser is redirected to the real EFTPS site to add a touch of realism:
This particular attack wasn’t successful on our test system, so we were unable to discern what the ultimate payload of the attack was. However, the attack is a prime illustration of cybercriminals’ willingness to target Java, a trend we noted in our last Security Labs Report. Like Flash, Java is ubiquitous, most people have it installed, yet many are unaware that it is there, let alone up to date.