The latest scams use phishing emails to deliver remote access trojans to control a victim’s computer and steal sensitive data, says Cybereason.
Phishing attacks often exploit items and events in the news as a way to gain the attention and interest of potential victims. That strategy also includes seasonal events such as Christmas, Valentine’s Day, and everyone’s favorite, tax season. With the usual April 15 (now extended to May 17) deadline approaching, a report released Thursday by security provider Cybereason reveals the latest scams against taxpayers and offers advice on how to avoid them.
Cybereason’s Nocturnus threat analysis team has discovered a new phishing campaign aimed at US taxpayers. The phishing emails claim to contain a tax-related document that might interest people this time of year. But this document actually triggers a chain of events to install the NetWire and Remcos remote access trojans (RATs), which the attackers can use to control the infected systems.
How the scam works
The Word document attached to the phishing email contains a malicious macro. If the document is opened and the necessary permissions are granted by the recipient, the macro executes and downloads an OpenVPN client on the machine. This then creates a connection to a legitimate cloud service called “imgur” from which the NetWire or Remcos malicious payload is installed. The process uses a technique called steganography in which the malicious code is hidden within a plain-looking JPG image file, according to Cybereason.
Both NetWire and Remcos are commercial RATs up for sale for as little as $10 per month. Using a Malware-as-a-Service model, both are available through different licensing plans. In some cases, customers who opt for a subscription actually receive 24/7 support and software updates.
Once installed, NetWire is able to capture your screen, manage data copied to the clipboard and download additional payloads. Remcos can also steal your browser history and credentials, access your file manager and get information about your system. NetWire has been active in various forms since 2012, while Remcos popped up in 2016.
This particular tax-related scam tries to avoid standard security detection through a few different tricks. The attackers use a legitimate cloud service and a legitimate VPN app to install the Trojans. Through steganography, the payloads are hidden and downloaded within seemingly innocent image files.
“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect,” Assaf Dahan, senior director and head of threat research at Cybereason, said in a press release. “The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” Dahan added.
To help you avoid tax-related email scams this time of year, Cybereason offers the following tips:
Don’t click on links or open attachments in email. Attackers use social engineering to steal sensitive information as they know a certain number of people will open links or attachments without thinking twice. Don’t fall for attachments or links from untrusted sources.
Call the company or go to its website to get info. If you receive an email or correspondence related to tax filing, call the company directly to ask if it’s communicating to customers via email.
Use multifactor authentication. Use such authentication methods as an SMS text, an authenticator app, a fingerprint reader, or facial recognition to better protect your personal information.
Protect the devices in your possession. Make sure your mobile devices are configured to automatically update critical software.
Use security software to protect your devices. Use an endpoint security solution to protect your mobile phone and tablet.
Finally, remember that the IRS will never initiate contact with taxpayers by email, text or social media to request personal or financial information. It will never call taxpayers with threats of lawsuits or arrests. And it will never call, email or text you to request your tax ID or Identity Protection PIN.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays