The Department of Homeland Security said there is a large scale spam campaign underway in which attackers are using fairly well-crafted emails that appear to come from the IRS to infect victims with the Zeus bot.
The attack has been ongoing for a couple of weeks now, and researchers say that although the attackers have taken some precautions to prevent analysis of the sites and malware being used, they also made some key mistakes.
The Zeus-laden fake IRS emails are convincing enough to have snared more than a few victims. The subject line typically says something like, "Federal Tax payment rejected" or "Your IRS payment rejected", and the sender's address is spoofed to include the irs.gov domain.
The body of the emails often have a couple of spelling and grammatical errors and include a link to a PDF file. That file directs the victim to a download that will drop the Zeus binary on his machine. From there, it's game over for the user.
Zeus is proving to be one of the more venerable and flexible crimeware kits in recent years.
It's been used in dozens and dozens of attacks and has infected millions of machines over that time.
The source code for one version of Zeus was leaked recently, leading researchers to predict that more attacks involving the kit would be in the offing as more attackers get access to a tool that was previously out of their reach.