How Seasonal Scams Cause Yearlong ProblemsApril 11, 2019
For most Americans, Tax Day is a red-flag deadline on the calendar. For cybercriminals, it’s one day out of a season marked with scams to deceive victims out of money and personal data.
Seasonal threats are common among cybercriminals, who often exploit holidays, news, or global events for attack opportunities, says Limor Kessem, IBM global executive security adviser with its X-Force team. One of the biggest lures is tax season in the United States. “They start in January, and they drag it out until May, even June,” she says. After Tax Day, they can capitalize on people waiting to receive responses on their tax returns, refunds, or payment notifications.
Tax fraud is an old problem manifesting in new ways as more people file taxes online. The IRS expects more than 90% of tax returns will be prepared electronically using tax return software, RiskIQ reports in its “2019 Tax Season Threat Roundup.” People eager to cash in on tax returns are promising targets for cybercriminals, who spoof popular e-filing tools to exploit them.
IBM X-Force researchers recently discovered several of these ongoing tax-themed campaigns, three of which affect businesses as well as consumers. Attackers attempt to trick victims with messages appearing to be from major accounting, tax, and payroll services, including ADP and Paychex. Malicious Microsoft Excel attachments packed Trickbot, a common banking Trojan that infects devices to steal data and follow up with wire fraud from the owner’s account.
“Trickbot itself it very focused on businesses,” says Kessem of the enterprise angle. “They’re out to empty those business accounts.” While organizations have long been targeted with banking Trojans, the emergence of Trickbot in tax season campaigns is fairly new this year, she adds.
Researchers from IBM X-Force believe the size of the firms spoofed indicates attackers will likely be successful in tricking their customers. Businesses and individuals who use services from ADP and Paychex will likely expect to receive emails from their service providers around tax season, they point out.
All the attackers need is one person to believe a fake email, and they’re in. “They want to get that one foothold,” Kessem says. “They want someone who will believe their email and get infected with the malware.” From there, Trickbot is equipped to move laterally on a network.
It’s one of many campaigns with malware payloads mixed into tax-related emails. Late last year, Proofpoint researchers detected campaigns luring targets with urgent subject lines (“Your IRAS 2018 Tax Report,” “IRS Update for 1099 Employees”). These malicious messages, which typically rely on advanced social engineering techniques to alarm their victims, distributed a variety of remote access Trojans: Orcus RAT, Remcos RAT, and NetWire among them.
Tax Fraud? There’s An App for…