Tax-related themes are frequent lures for phishing emails and websites. Sunnyvale, Calif.-based Proofpoint revealed cybercriminals expanded their attack methods this tax season to include ransomware, malware, malicious documents, and social engineering.
In a blog the cybersecurity firm reported scammer expansion beyond traditional phishing lures to get sensitive information access. These additional attack methods include using email subject lines, which highlight a new IRS policy, a loyalty tax refund, and electronic filing; posing as tax companies to steal personal details; and a recent campaign promising a quick online refund process after providing bank account information.
Proofpoint reported tax-themed email campaigns encapsulate the broader trends highlighted in its 2016 Threat Report: large-scale distribution of ransomware via email, geographic targeting of banking Trojans, variation of payloads, and increasing adoption of URLs in place of document attachments.
The IRS issued alerts about the fraudulent use of its name or logo by scammers trying to gain access to consumers’ financial information. Scammers use the regular mail, telephone, fax or email to set up their victims.
“Tax season and the rounds of phishing lures that accompany it are annual traditions in the U.S. This year, we tracked malware distribution in addition to the customary phishing schemes among the email threats related to federal taxes. We saw this tradition extend north of the border to Canada, where taxes are due on April 30th,” the Proofpoint blog read.
Proofpoint researchers examined several campaigns. They include:
- “The Trick”, also known as TrickBot and TrickLoader, which emerged recently as a high-profile banking Trojan with links to the infamous Dyreza banker and the actors behind it. On February 22, Proofpoint observed a well-crafted socially engineered attack delivering the payload under the guise of Canadian Revenue Agency documents. The professional-looking email, includes instructions and contact information related to attached secure documents, which contain the malware.
- A campaign encouraging recipients to read a new IRS privacy policy in an attached document. The email contained elements of social engineering. Once enabled, the macros download Dridex botnet 1105.
- Another email drive targeting U.S. recipients offered a special loyalty tax refund program. The attached malicious document delivered Sage ransomware via embedded macros. The ransomware generally asked users for $2,000 to decrypt their files. A separate campaign delivering Sage during the third week of February used links to zipped JavaScript files instead of attached malicious documents.
- A tax-themed lure delivered LuminosityLink, a remote access Trojan that includes a comprehensive keylogger capable of injecting code into most running processes on infected PCs, via attached macro-laden Excel spreadsheets. Proofpoint also observed LuminosityLink directed at high-value targets.
- Email from irs-consultant.com domain used to install so-called Philadelphia ransomware, which was first documented last fall. “According to our colleagues at bleepingcomputer.com, ‘Philadelphia is being sold as a low-cost ransomware solution that allows any wannabe criminal to get an advanced ransomware campaign up and running with little expense or complexity,’” Proofpoint explained.
- Phishers target personal information via a form to submit federal W-2 information, lifting IRS branding and images directly from IRS.gov. Also observed: the reuse of forms capturing IRS login information. Phishers extensively reuse templates and related code from previous campaigns. They have little incentive to innovate extensively as long as existing templates and tools remain effective.
