As the 2022 tax season nears, numerous active phishing campaigns have been discovered impersonating the IRS to steal people’s sensitive data, and potentially – money.
One such campaign was just recently spotted by cybersecurity researchers from Cofense, which found threat actors pretending to be the Internal Revenue Service (IRS), sending out emails with tax forms and federal returns.
In most cases, the emails carry false 2021 Tax Return forms, W-9 forms, or other tax documents that are commonly being distributed this time of the year. These documents, either Word files, or Excel files, carry malicious macros, and if triggered, will download the Emotet malware.
Spreading ransomware
Emotet has multiple functions, with two most basic ones being – to spread to more machines via email; and to deliver stage-two malware. Cofense says that these days, Emotet is mostly used to deliver Cobalt Strike, ransomware payloads, or SystemBC remote access Trojan. When it infects a machine, it will try to weasel its way into the inbox, and use existing email threads to re-distribute itself without raising suspicion.
Of these threats, ransomware seems to be the most obvious one, given that Emotet is being developed by the Conti Ransomware group.
The best way to protect against these attacks is to be vigilant when opening emails or downloading attachments. The IRS never sends unsolicited emails, and will only correspond through the postal service.
When receiving emails with attachments, or links, it is important to double-check the sender’s name and address, because that’s often the first place where a red flag can be noticed. Also, typos, poor English, and a mismatch in visual identity, can also be clues to a potential phishing attack. And finally, hovering over a hyperlinked keyword in an email gives away its actual address.
Via: BleepingComputer
