New phishing campaign targeting US tax return payers ahead of 2021 deadline

(Image credit: Shutterstock)

A serious phishing campaign that targets US taxpayers has been discovered in the run up to the April 15 tax filing deadline.

Attack protection specialists Cybereason has released details of its core threats in a new report warning that individuals are being sent documents that purport to contain tax-related content. 

However, they also deliver NetWire and Remcos malware and allow cybercriminals to take control of a victim’s machine.

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

NetWire and Remcos are regularly cited as two of the most prolific remote access Trojans (RATs). Worse still, the latest phishing campaign has been carefully engineered to evade antivirus software tools. Recipients of a tax-themed Word Document are duped into opening it, which contains a malicious macro that subsequently downloads an OpenVPN client on the users computer.

Malware threats

Once this has happened the malware dropper makes a connection to the legitimate cloud service ‘imgur’ and downloads the NetWire or Remcos malware. Cybereason has discovered that the process is carried out using a technique called steganography, whereby malicious code is hidden inside a seemingly innocuous Jpeg file.

The activity has the potential to affect a lot of unsuspecting tax filers. According to the IRS, nearly 170 million tax returns were filed in the US in 2020. Of those, nearly 153 million were filed electronically. And last year along the IRS identified more than $2.3 billion in tax fraud schemes.

Therefore, tax filers are being encouraged to follow the usual practices when filing their 2021 returns. This includes resisting the temptation to click on links or open attachments in suspicious emails. Anyone filing a tax return in the US should also bear in mind that the IRS will never initially contact taxpayers using email, text or social media asking for personal or financial details.

“Social engineering via phishing emails continues to be the preferred infection method among both cybercriminals and nation-state threat actors. The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the U.S. tax season to infect targets at will,” said Assaf Dahan, senior director and head of threat research at Cybereason.

“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect. The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” added Dahan.


Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.