The official tax site for Oklahoma is offering more than just tax help, AVG’s Roger Thompson says. The portal for the Oklahoma Tax Commission has been hijacked, and as of 10:00 a.m. this morning is still serving malicious PDF files to anyone simply visiting the main page.
Oklahoma tax domain offering tax help and Malware.
Thompson, following up on reports from AVG customers, discovered that the main page for the Oklahoma Tax Commission has been compromised. Thanks to malicious JavaScript, the site is serving malicious PDF files to anyone who happens across it.
The site displays a license agreement that users are told they must accept. By all appearances, the license agreement looks legit. But once the accept button is pressed, a malicious PDF file is downloaded and executed.
The files are being served from estguard.com in the Netherlands. The Tech Herald examined the server and discovered several directories being used, each one full of Malware. Presently, detection for the malicious PDF files is low, but we expect that to change soon.
To give an idea of how vendors are seeing the PDF files, we have two examples below.
Malware from the Oklahoma tax portal
Malware from another directory on estguard.com
Based on the Virus Total scanning, AVG isn’t listed as offering coverage, but considering that they discovered the attack, it could be that Virus Total is behind on signature updates. Likewise, Symantec isn’t listed as offering detection, but both samples were flagged on a test system running Norton Internet Security 2010.
The government offices in Oklahoma are either closed in some cases, or running on a skeleton crew due to weather conditions. We’ve contacted the Tax Commission and alerted them to the problems on their site, but for now it should be avoided.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story