As tax season is drawing near, so are tax scams. Last Monday, Microsoft has warned us of a variety of tax scams that are using social engineering which targets people’s fears to spread Zdowbot and Omaneat banking Trojans which in turn collect personal information via spoofed tax sites linked to and from phishing campaign attacks.
We have been warned before the April 18 tax deadline and on top of that, a variety of tax scams have also been busy adding extra weight since we have to avoid getting hit by it.
“These attacks circulate year-round as cyber-criminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April,” warned Microsoft on its Malware Protection Center blog.
Email ploys reported by Microsoft include messages with the subject lines “You are eligible!” and “Confirmation of your tax refund” and “Subpoena from IRS”. Microsoft says scammers are also targeting certified public accountants with email subject lines “I need a CPA”.
There have been a lot of tax-based scams over the years, however lets take a look at one of the latest. Microsoft found a malicious Word document contained in an email that warn recipients they face pending tax-related law enforcement action. This word document is conveniently named subpoena which strikes fear and emotional distress to the recipient. In the event the word document is opened, the first thing you would notice is that it is in Protected View mode and would prompt to enable editing.
Here is the catch, if you enable editing, malicious macros download a malware detected as TrojanDownloader:Win32/Zdowbot.C,” Microsoft said. Next, attackers attempt to install malware that is part of the Zdowbot family of Trojan downloaders.
On the other hand, they have been busy targeting CPA tax preparation experts in hopes of infecting PCs filled with third-party tax data with the Omaneat family of info-stealing malware. Email with the subject line “I need a CPA” contain the fraudulent plea: “I need a careful and experienced high quality accountant, to handle all matters of accounting including tax preparation..”
An attachment is also included which is conveniently named “tax-infor.doc” that also has a malicious macro code. Same as the other one mentioned above, it would also warn you not to enable editing while on Protected Mode. If enabled, the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe. “These threats can log keystrokes, monitor the applications you open, and track your web browsing history,” according to Microsoft.
Sometimes, the subject line of the scam based campaign emails contain the subjects like “Info on your debt and overdue payments”. These types of emails do not contain any attachments. It would prompt the user to visit a website that allegedly contain a personalized report on their delinquent realty taxes. The message warns action is needed within 24 hours to avoid “significant charges and fines.” The link is to a phishing page.
They target both the taxpayer and the tax professionals so they can steal information for both sides. There was a media report of a government contractor that fell victim to a spear phishing scam which exposed current and former employees’ sensitive tax information
Be cautious when opening suspicious emails even if it came from someone you know, be wary about opening the attachment or click on links. Be paranoid sometimes, it wont hurt if it keeps your sensitive information safe.