The phishing messages pretend to originate from the National Payroll Reporting Consortium (NPRG), a nonprofit that provides payroll processing services to employers. Recipients are told that their employer has tried to cut costs by making "numerous misrepresentations regarding worker classification," according to a Websense alert Tuesday.
To rectify the problem, the recipients are urged to fill out an attached form -- but the attachment actually contains a trojan that installs a malicious browser helper object that steals user data from web forms, said Matt Richard, director of rapid response at VeriSign iDefense.
"It registers itself to be called every time you type data into a form," he told SCMagazineUS.com today. "It takes that data, stores it and then sends it to the attacker's website."
This latest attack is similar to previous phishing campaigns whose messages claimed to come from such groups and federal agencies as the Better Business Bureau, IRS and Department of Justice.
Three overseas-based groups have been responsible for about 50 to 75 such attacks in the past year, Richard said. The Romanian crime ring behind the most recent assault is responsible for roughly 30 to 40 percent of them.
Differences between the three groups lie in the types of malicious code they choose to propagate, he said.
"What's so terrible and brilliant about this string of attacks is that not a single one of them uses a technical feat to install their software," Richard said. "For them, it's a cost benefit. Writing exploits and good zero-day vulnerabilities take a lot of work and effort. Social engineering only takes creativity."
Richard estimates that each run reaches between 1,000 and 10,000 recipients, with about 20 to 30 percent falling for the bait.
Visitors today to the NPRG homepage are met with a statement urging them to be wary of the phishing emails.
"If you receive this email, you should immediately delete it, do not respond to it or take any other action," reads the warning, adding that the bogus emails contain the nonprofit's banner and the sender appears to be using an NPRG mailing address.