Tax-themed phishing and malware attacks proliferate during the tax filing season

Discussion in 'Microsoft' started by MalwareTips Bot, Mar 20, 2017.


Are all the members of your family aware of the Tax-themed phishing and scams?

Poll closed Mar 30, 2017.
  1. Yes

  2. Only some members of my family

  3. No

  1. MalwareTips Bot

    MalwareTips Bot MT Robot
    Staff Member Content Creator

    Apr 21, 2016
    Tax-themed scams and social engineering attacks are as certain as (death or) tax itself. Every year we see these attacks, and 2017 is no different.

    These attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April.

    Cybercriminals are using a variety of social engineering tactics related to different scenarios associated with tax filing, in order to get you to click links or open malicious attachments.

    Here are some recent examples we’ve seen. The best defense is awareness: no matter what stage you are in your tax filing and wherever you are in the world, don’t fall for these social engineering attacks.

    Tax refund: “You are eligible!”

    An enticing bait attackers use says that you’re eligible for a refund. We’re seeing several phishing campaigns targeting taxpayers in the United Kingdom, where tax filing season ended in January. These attacks are targeting people who might be waiting for information about their tax refund.

    These kinds of phishing emails pretend to come from HM Revenue and Customs, the tax collection body in the UK. These mails vary in how legitimate they appear, but in all cases the attackers want you to click a link in the mail. The link points to a phishing page that will ask for sensitive information.




    If your default browser is Microsoft Edge, Microsoft SmartScreen will automatically block access to these phishing sites. Internet Explorer also includes Microsoft SmartScreen.


    Tax filed: “Payment has been debited from your account”

    Another cybercriminal tactic is to pretend to deliver a receipt for taxes filed. A recent example is a malicious email with the subject “Rs. 73,250 TDS Payment Has Been Debited from your Account”. TDS refers to Tax Deducted at Source, which is the method of collecting tax in India.

    The message body says, “Kindly download and view your receipt below attached to this email.” The attachment plays the part and bears the name Income Tax


    Inside the .zip is the file Income Tax Receipt.scr, which is really a banking Trojan detected by Windows Defender Antivirus as TrojanSpy:Win32/Bancos.XN.​

    The payload Trojan is part of a family of keyloggers. When it runs, it logs all keystrokes and sends these to an attacker. From the keystrokes, an attacker can then collect sensitive info like user names and passwords for online banking, email, social media, and other online accounts.

    SHA1: 89c5248a989c79fdff943c7c896aeaee4175730d

    Tax overdue: “Info on your debt and overdue payments”

    Some tactics are more threatening. One example accuses the recipient of having overdue tax.

    This threat can cause the recipient to panic and click a link in the email without thinking things through. We monitored an attack that targets taxpayers in the US and accused recipients of overdue tax and that action needed to be taken immediately. The link in the email is, of course, a phishing page.


    Again, Microsoft SmartScreen blocks access to this phishing page.

    Tax evasion: “Subpoena from IRS”

    Some attacks use fear as bait. One such bait tells recipients that there’s pending law enforcement action against them. We saw an example of this sent to U.S. taxpayers. It pretends to contain information about a subpoena, asking “What should we do regarding the subpoena from IRS?”


    The attachment is a document file that Microsoft Word opens in Protected View. The attackers expected this, so the document contains an instruction to Enable Editing.


    If Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C.

    Zdowbot is a family of Trojan downloaders. They connect to a remote host and wait for commands. In addition to downloading and installing other malware, they can send information about your PC to a remote attacker.


    Tax preparation: “I need a CPA”

    Some attacks are relevant during the early part of the tax filing process. We saw an attack this year that targets accountants in the U.S., given the timing and the information in the email referencing the IRS.

    The attack pretends to be coming from somebody seeking the services of a CPA. It includes an attachment named tax-infor.doc.


    The attachment is a document with malicious macro code. Macros should be disabled by default (as is the best practice). When the attachment opens, Microsoft Word issues a warning. To encourage you to enable macros, the document displays a fake message box that says “Please enable Editing and Content to see this document”. The fake message box is designed to look like it’s part of Microsoft Word, but it’s really part of the document itself.


    If you fall for the ruse and enable macros, then the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe.

    Omaneat is a family of info-stealing malware. These threats can log keystrokes, monitor the applications you open, and track your web browsing history.

    SHA1: ffc06b87eed545df632b61b2a32ef36216eb697d

    How to stay safe from social engineering attacks

    Tax-themed malware and phishing attacks highlight an important truth: most cybercrime is after your hard-earned money.

    But these attacks rely on social engineering tactics — you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links. Some malicious emails may be spoofing the sender.

    The built-in security technologies in Windows 10 can help protect you from these attacks. Keep your computers up-to-date.

    Enable Windows Defender Antivirus to detect malware that arrive via email messages using tax filing as bait. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.

    Practice safe browsing habits. We recommend Microsoft Edge. It blocks known phishing and other malicious sites using Microsoft SmartScreen.

    Additional protection is available for businesses running Windows 10 and Office products.

    Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as social engineering emails that carry malware or phishing links.

    Use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run.

    IT administrators can use Group Policy in Office 2016 to block known malicious macros, such as the documents used in these social engineering attacks, from running.

    For more information, download and read this Microsoft e-book on preventing social engineering attacks, especially in enterprise environments.

    Jeong Mun and Francis Tan Seng


    Continue reading...
    aragornnnn and Jack like this.
Similar Threads Forum Date
Beware of Ebola-themed phishing, malware campaigns and hoaxes News Archive Oct 18, 2014
Malware Alert Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor! News Archive Mar 17, 2017
Malware Alert Pokemon-Themed Umbreon Rootkit Targets Linux x86 and ARM Platforms News Archive Sep 5, 2016
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.