Tax season is always a prime time for phishing attacks. People are easily influenced by IRS branding and counterfeit web pages. Just a few weeks ago we wrote about a spear phishing attack where hackers obtained W-2s from a range of business sectors through a business email compromise scam.
In the short period of time since then, new tax scams have cropped up. These scams show an increase in the use of social engineering tactics to personalize emails to convince victims of their legitimacy. Hackers are preying on our innate willingness to comply with authority and appeal to our fears of the consequences associated with paying taxes late or not complying with the law. The scams and software come in a range of forms, from phishing emails that steal confidential information to ransomware and banking Trojans.
One of the scams comes in the form of a spear phishing email supposedly from the IRS Commissioner. The email includes the victim’s personal information like name, address, and personal phone, making the email seem legitimate. The email claims that the victim is entitled to a $7.5 million refund in the form of an ATM card, as long as they “update” some personal information. This scam has some obvious red flags:
Another phishing email based scam sends victims an email to let them know that it is time for their information to be “processed” – instead, it is being stolen. The email takes victims to a fake IRS-branded page where they are asked to fill in all of their personal information, starting with their social security number. This phishing scam is able to bypass standard intrusion detection systems (IDS) by using JavaScript AES Encryption.
By using JavaScript AES encrypted web pages, hackers are able to bypass most intrusion detection systems.
Similar to the information “processing” scam, this attack uses an email to lure victims to a counterfeit IRS-branded page. The email contains an attachment that takes users to a webpage form with an “IRS-govCopyright.html” suffix. The form asks for the victim’s:
With all of this information, hackers can easily file fraudulent tax returns, steal the victim’s identity, or sell the information for big bucks on the dark web.
Sage Ransomware, a CryLocker variant, is delivered through a document that claims to contain the application for a new loyalty tax refund program. Although the email cites “act 2837 12a” as the new law backing this program, a basic google search comes up with no results for this so-called law. This phishing email preys on people’s urge to get something for free. Some reports even state that hackers using this type of malware are asking for up to $2,000 in bitcoin to decrypt and release files.
Hackers are asking up to $2,000 in bitcoin payment to decrypt files.
In another case of malware infiltration, an email informs victims that they have missed a payment deadline, and asks them to download their invoice. In reality, the invoice is a zipped JavaScript file that launches Sage Ransomware. This email attack relies on the taxpayers’ desire to comply with the law and provides them with a sense of urgency – ensuring that their victims will quickly comply and unknowingly deploy the malicious software.
The last ransomware scam provides opportunities for wannabe cybercriminals by utilizing a new business model for thieves…. ransomware-as-a-service. A phishing email informs victims that their tax profile violates IRS policies and that they must review and fill out the attached form. To ensure that the victim clicks on the malicious attachment, hackers tell them that they are subject to penalties if they don’t respond. Once the attachment is clicked, Philadelphia ransomware automatically launches, encrypting all files until a ransom is paid.
One of the most popular scams is a phishing email that uses IRS branding to convince users to open and download malicious software. The email claims that the IRS has updated its privacy policy and that they are sending the updated version to all taxpayers. It also includes a bogus claim that one of the documents has “mandatory encryption” so victims must enable macros to view the document. Enabling macros allows the malicious Dridex BotNet 1105 banking Trojan to automatically download and infiltrate the computer, making it easy for hackers to steal banking information.
One of the most dangerous scams is one that uses a tax-related lure email to get victims to open excel spreadsheets filled with macros. These macros deliver LumosityLink software, a remote access Trojan (RAT). This software allows hackers to access computers remotely to:
An article from Krebs on Security proves that even security experts fall for scams. An individual at Defense Point Security, who provides cyber security services for the federal government, was the victim of a business email compromise spear phishing attack. This attack resulted in the team member directly handing over confidential employee information in the form of W-2s to hackers.
Although the cyber security agency failed to comment, it is estimated that information from about 200-300 employees was exposed. It is surprising that an employee at such a high profile security agency would fall for an attack, but it is possible that they did not receive adequate training to look out for spear phishing scams.
It is important to address these dangerous threats with your employees and train them to look out for scams so they can protect themselves, and your organization. Although many of these scams target individuals, malware and other malicious software can spread through corporate networks infecting devices and causing extreme damage.
If anyone in your organization receives a tax-related phishing email the IRS asks that you forward it to phishing@IRS.gov.
The best way to prevent these attacks is to get advanced email protection from Vade. With our email security suite, you don’t have to worry about employees making judgment calls about phishing – these dangerous emails will never end up in their inbox.
We analyze multiple behavioral and technical factors within emails and the code embedded in every attachment to ensure that no malicious software is present. Backed by artificial intelligence, our security solution can protect your organization from spear phishing, ransomware, zero-day attacks, and more.
None of the scams we list on this page has made it past Vade email security system and Vade has had a 100% success rate in stopping every CryptoLocker and Locky variant in the wild… sometimes even before they have been detected by security researchers.
Ready to defend your organization from cyber-attacks with advanced email protection? Contact us today.