Users in the US Targeted with Ransomware via Tax Return-Flavored Emails

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Now that the period for filing tax reports in the US has reached an end, cybercriminals have adapted their phishing lure and deliver messages claiming to be from the IRS (Internal Revenue Service) in relation with pending refunds.

The crooks rely on strong social engineering skills to create a highly credible message that is also laced with legitimate links, which increase confidence in the message being real communication from the IRS.

“Additional information regarding tax refunds can be found on our website: http://www.irs.gov/Refunds [legitimate URL]. Please note that IRS will never ask you to disclose personal or payment information in an email,” reads a paragraph of the email.

The advice provided, along with the legitimate link, are designed to increase confidence that the message has been sent by the IRS.

Crooks compromised web server in China
The objective of the malicious campaign, however, is to deliver a piece of ransomware on the victim’s computer via an infection scheme that involves a compromised web server located in China.

Dmitry Bestuzhev from Kaspersky says that the cybercriminals are also responsible for a similar operation conducted earlier this month, which relied on a malicious script stored on Pastebin anonymous paste website.

In this case, the attacker relies on an encoded malicious script hosted on the Chinese machine containing instructions for downloading the final payload.

Victim is tricked into enabling macros in Microsoft Office
The attack starts with the seemingly legitimate email that informs of a significant tax refund, with a Word document attached, purporting to be a copy of the approved tax return form.

The Word file is rigged with a macro (a script whose legitimate functionality is to help the user complete repetitive tasks automatically) that calls for the remotely stored script with instructions and the download link for the malware.

Macros are disabled by default in the Microsoft Office components, but the crooks placed gibberish text in the file, instructing the victim to turn on support for macros in order to make the text readable.

The ransomware is detected by Kaspersky products as Trojan-Ransom.Win32.Foreign.mfbg and does not encrypt data stored on the computer; instead, it blocks access to the Internet and demands payment via prepaid cards, such as MoneyPak.

Victims are instructed to deliver the code of the card to an SMS number in order to pay the ransom and restore the functions of the computer.
 
  • Like
Reactions: Mr.X and BoraMurdar
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top