Tax Season Is Here And So Are Taxpayer Cyber Scams

April 8, 2021

A new tax-themed phishing campaign is targeting U.S. taxpayers with malware-infected Microsoft Word email attachments that claim to contain tax-related information.

Cybersecurity technology company Cybereason states that opening the Word document displays a blurred background with the prompts "enable editing" and "enable content." Researchers note that hackers use this social engineering method to get users to enable embedded macros on their machine.

After it finishes decrypting, the malicious code downloads an OpenVPN and a trojanized DLL file onto the device. The malware dropper connects to the legitimate cloud service "Imgur" and installs the remote access trojans NetWire and Remcos on their victims' devices. These trojans allow hackers to take control of their victim's machines and steal sensitive information from them.

Both trojans are available for as little as $10 per month through the malware-as-a-service model.

The malware can remotely execute shell commands on the infected device; steal browser credentials and history; download and execute additional malware; screen capture and key log; and manage files and systems.

Researchers at Cybereason say the attack is designed to evade detection by antivirus tools. It uses a technique called steganography to hide malicious code in a jpeg image file that appears to be safe.

Information stolen from victims can be sold in "underground communities" and used for identity theft and financial fraud, according to the senior director and head of threat research at Cybereason.

Paul Bischoff, a privacy advocate at Comparitech, says this is a particularly clever attack because it uses the popular and trusted website Imgur to deliver its payload instead of downloading from the hacker's server.

This new malware attack could lead to large financial losses. The Internal Revenue Service (IRS) identified tax fraud schemes totaling more than $2.3 billion dollars in 2020. Rene Millman "Hackers target US taxpayers with NetWire and Remcos malware" itpro.co.uk (Mar. 19, 2021); Prajeet Nair "Tax-Themed Phishing Campaign Emerges" bankinfosecurity.com (Mar. 19, 2021).

 

Commentary

In February 2021, the IRS warned individuals to watch out for fraudsters spoofing the agency’s domains and using its logos and text in phishing campaigns.

Phishing emails targeting U.S. taxpayers, including U.S. employers, during tax season are not new.

Every year, hackers take advantage of the urgency people feel as the deadline to file taxes nears. As Paul Norris, a senior systems engineer at security company Tripwire, says, “This is because phishing campaigns are much more successful when the message creates a sense of urgency in the recipient, who is more likely to download an attachment or click on a link without thinking twice.”

Fortunately, cybersecurity experts say that even this new malware attack is “easy to prevent with good digital hygiene.” That means never clicking on links or attachments in unsolicited emails; verifying the sender before clicking on links and attachments even when you think you know what they contain; being cautious about opening Microsoft documents contained in emails; and disabling macros by default on MS Office apps.

Be particularly suspicious of any email claiming to contain tax-related information during tax season. Even if an email with an attachment proports to come from your accountant’s office, you should only open it after confirming by phone that the attachment is safe.

Finally, your opinion is important to us. Please complete the opinion survey:

News

Remote Access Software And Network Segmentation: A Problem And A Solution?

Cybersecurity experts note the many benefits of network segmentation, but organizations have been slow to implement it. We examine. Read More

Tax Season Is Here And So Are Taxpayer Cyber Scams

Every year hackers take advantage of the stress of filing taxes to target victims, including employers, with phishing scams. Learn more. Read More

Multi-Factor Authentication: Does It Help Protect Your Data?

SonicWall, Inc. says hackers breached its system security software and is working on a fix. Learn about multi-factor authentication. Read More