Watch out — those IRS tax forms could actually just be malware

Phishing
(Image credit: Vektor Illustration/Shutterstock)

The tax season in the United States is nearly upon us once again, which can only mean one thing - hackers will be impersonating the Internal Revenue Service (IRS) in an attempt to steal money and sensitive information from businesses of all shapes and sizes.

Cybersecurity researchers from two companies - Palo Alto Networks and Malwarebytes have discovered two malicious phishing campaigns doing just that, but having somewhat different approaches. 

In one campaign, the attackers would impersonate the IRS and share a fake W-9 tax form via email. The fax form is actually the Emotet malware, capable of stealing sensitive data from the infected endpoints and using it to further distribute itself. Emotet can also serve as a dropper, allowing the threat actors to distribute different types of malware, ransomware included. 

Word and OneNote files

In this campaign, the attackers would send a malware-laden Word document, inflated to 500MB+ in order to avoid triggering the antivirus programs. However, given that Microsoft blocked macros from internet-downloaded Office files, chances are this campaign won’t be that successful. 

The second campaign is different in the fact that instead of Word files, these attackers are distributing OneNote files with malicious add-ons. 

These are yet to be fully blocked when downloaded from the internet, so the success rate will probably be somewhat higher. In this campaign, the attackers would share a NoteBook (a OneNote file) that’s “protected” (seems to be blurred out) and requiring the user to click “Unlock” or “View” or a similar call to action. However, what they would really be doing is triggering the add-on, which would download the Emotet malware.

The second major difference is that these files wouldn’t come from the fake IRS but rather fake partners, clients, or businesses the victims otherwise engage with. 

Usually, tax forms are distributed as a .PDF file, and not as a .DOCX file, which is probably the best way to spot a cyberattack. Furthermore, OneNote is not exactly the most popular productivity tool out there, so getting a NoteBook file should be a red flag right from the start.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.