Canada Revenue warning scam uses .MSG attachment

Everyone loves to hate the Canada Revenue Agency. Unfortunately, criminals apparently love the tax man — they keep finding ways of leveraging Canadians’ fear of the agency to lure them into malware.

Often its fraudulent phone calls in the spring claiming to be from the agency. But recently an email campaign was detected by Trustwave, which in a blog Wednesday described how someone is using a .MSG email attachment, the format of Microsoft Outlook and Exchange message files, as the vehicle for malware. Some of this mail will likely fall into the mailboxes of enterprises.

The subject line will be “Canada Revenue Agency — Notification.” The sender appears to be legit as “Canada Revenue Agency Online Mail.”

The first clue this is phoney is it’s email. Governments do NOTHING unsolicited by email — they love paper because it can be traced.

The second clue is body of the text: It’s addressed to “Dear Taxpayer.”

Lesson: Do not click on the attachment, which purports to be a case file.

What’s more interesting to our readers is the analysis of the malware by Trustwave. Opening the attachment researchers found a number of files and four folders. Two of the folders have images of spoofed PDF files with spoofed file names, while the third folder has a compressed file with another OLE file. Inside that file is another compressed file with JavaScript. When it runs it downloads a malicious executable from a command server, a Trojan which injects its code into an available Windows Explorer browser, and then downloads the Zbot banking Trojan, which can intercept network traffic and steal system information, online banking credentials and passwords.

“We don’t often see malicious files embedded in .MSG file attachments,” notes Trustwave. “It represents yet another technique used by cybercriminals to bypass email gateways. While extracting the malicious JavaScript object, we encountered layers of compression that would perhaps be difficult for some antivirus product to detect.”

The lesson for infosec teams with organizations that use Outlook is to pass the word that employees should be wary of opening .MSG files. By default, Outlook will prompt users with a warning that some objects in the message may have a virus.

Trustwave calls this hunt for the malware package going down the rabbit hole. For young threat researchers it’s a lesson on how to do it.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now