Tax Scams via New Wave of Malware


This year’s tax season is in full swing, and while everyone is trying to make the April 15 deadline, scammers and cybercriminals are ramping up their schemes, too.

Even though it’s easier to file your taxes online, the convenience has its drawbacks. Scammers can use these same advantages to concoct malware and phishing attacks to reel in more victims.

Now, a new tax malware scam has been spotted, and this time it involves one of the most sinister banking Trojans around.

This tax Trojan that will drain your entire bank account

A new sophisticated tax phishing scam has been spotted by IBM’s X-Force. What’s scary is, it’s deploying a banking Trojan to steal banking credentials and misdirect victims into visiting malicious websites.

X-Force researchers said that they have spotted at least three tax-related malware spam campaigns so far, primarily targeting businesses but all of them can impact regular consumers, too.

What are the new tactics? Well, these malware campaigns send out phishing emails that appear to be coming from accounting, tax and payroll services. If you work in HR and payroll departments, watch out! Spoofed companies include popular payroll providers Paychex and ADP.

Attached to these fraudulent emails are malicious Microsoft Excel documents that are programmed to install the nasty TrickBot banking Trojan on your computer.

These tax-related attacks have been going on since January of this year and are still active to this day.

Here are the tax malware details you need to look out for

X-Force noted that these latest high-volume campaigns are more sophisticated than usual and — surprise, surprise — they are actually well-written with no typographical or grammatical errors.

The phishing emails also have official-looking business signatures, footers and even warnings about unneeded printing, adding to their look of authenticity. But don’t be fooled! They’re just well-designed versions of the old TrickBot campaign.

Subject lines all include the word “tax” and are all preceded with “FW:” or “RE” to fool you into thinking that it’s part of a longer thread.

These details, of course, are all designed to make the phishing emails look as authentic as possible to gain your trust. Scammers are always counting on the fact that if a potential victim thinks an email is from a trusted source, they’ll be more likely to open its attachments or follow its links.

What is TrickBot?

It is a banking Trojan that is spread through phishing emails with Excel or Word document attachments that are infected with malicious macros.

If you open the infected files and let the macros run, the TrickBot banking Trojan will be installed onto your gadget without your knowledge.

Once TrickBot is deployed to your machine, it will lurk in the background, waiting for you to visit your bank’s website.

Through a technique called dynamic injection, it will then redirect you to a fake version of the site (which is under the attacker’s control) where it will ask to log in with your banking credentials.

Once you log in to the fake banking website, it’s game over, you’ve just handed them the keys to your bank account. These fake websites reportedly look so authentic that a large number of people are falling for them.

And, as usual, TrickBot has evolved over the years. From banking phishing and redirection malware, it has gained the ability to steal Remote Desktop and Virtual Network credentials, too.

It can also spread to other machines on the same network, so a single point of entry is all the attackers need to compromise an entire company.

How to protect yourself from this latest tax-related malware campaign

The best thing you can do to stay safe is to NOT click on links within emails that are unsolicited. If you need to correspond with your financial institution, call its phone number listed on the back of your credit or debit card or type its web address directly into your browser.

Also, enable two-factor authentication, also known as two-step verification. This means to log in to your account, you need two ways to prove you are who you say you are. It adds an extra layer of security and should be used whenever a site makes it available. Click here to learn how to set up two-factor authentication.

Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it’s easy for the cybercriminal to get into each account.

Unsuspecting people are mistakenly handing over sensitive information to scammers all too often. If you receive an unsolicited email, do not reply with personal information. You don’t want it to fall into the hands of criminals. If a company that you do business with on a regular basis emails you and asks for personal information, type the company’s official web address into your browser and go there directly to be safe.