Tax-themed phishing campaign targets US taxpayers

• This campaign either attempts to drop malware, downloaders, or banking trojans onto victim’s systems or lure victims into submitting their financial information.
• Researchers also observed several other phishing campaigns that redirected victims to a spoofed IRS page.

What is the issue - Proofpoint researchers observed tax-themed phishing campaigns in the US, as it is tax season in the US.

Why it matters - These campaigns either attempts to drop malware, downloaders, or banking trojans onto victim’s systems or lure victims into submitting their financial information.

The big picture

In January 2019, Proofpoint observed a campaign that purported to come from a taxpayer named Timothy.

• The phishing campaign targeted multiple accounting firms pretending to contain information that was requested by the accounting firms in order to prepare Timothy’s tax return.
• The phishing emails contained several malicious fake documents disguised as a W-2 form, a 1099-R from UBS, and a mortgage interest 1098 form.
• When the recipient enabled macros, these documents would download Remcos RAT on the victim’s computer.
• Once the Remcos RAT is executed, attackers would gain access to the tax returns of all the taxpayers stored in the computer.

Proofpoint also observed several other phishing campaigns that redirected victims to a spoofed IRS page.

• These campaigns impersonated legitimate tax authorities such as the US Internal Revenue Service, Canada Revenue Agency, and the New Zealand Inland Revenue Department.
• These phishing emails included HTML attachments or URLs, which upon clicking opened an online form or redirected victims to a spoofed IRS login page.
• The online form asks for victims’ financial information, while the login page collects victims’ login credentials.
• After which, victims are redirected to the official tax authority websites.

Why it matters?

“As in years past, Proofpoint researchers observed the expected seasonal increase in tax-themed campaigns. 2019 saw a continuation of a trend towards high numbers of RATs first observed in 2018. Regardless of the payload, however, actors utilized social engineering techniques in subject lines, spoofed emails addresses, and 'decoy' links that led to the websites of legitimate government tax offices, many of which were outside of the U.S,” the researchers explained.