This tax-themed malvertising attack can blind security software before it arrives — and then unleashes ransomware

News
By published

If you're rushing to file your taxes, be extra careful for scams

A person doing taxes.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Hackers exploit US Tax Day rush with phishing and malware
  • Fake tax form sites via Google Ads drop ScreenConnect and disable defenses
  • Campaign sets stage for ransomware, also seen with fake Chrome updates

Cybercriminals are once again taking advantage of the short deadline for the upcoming tax filing window to deploy malware and ransomware to people’s computers, experts have warned.

The April 15 tax deadline, also simply called Tax Day, is the last day most Americans have to file their federal income tax return and pay any taxes they owe.

Since many wait until the very last moment to address this problem, they rush to get it done and, as security researchers Huntress say, “trust the first Google result they see.”

Article continues below

No bragging rights

Huntress says it is seeing an increase in people searching for specific US tax forms, such as W-2 or W-9. Hackers are leveraging this fact, creating fake landing pages and promoting them through Google Ads.

Therefore, when people search for these terms, they often land on malicious pages where they are served ScreenConnect (now commonly branded as ConnectWise Control), a legitimate remote access tool often used for malicious purposes.

The researchers are saying the attack targets all sorts of people, from employees, freelancers, and contractors to small businesses. Before running the remote access tool, the attackers first drop a kernel driver that disables security tools such as Windows Defender.

“Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector,” Huntress stressed.

While the tax-themed lure is currently trendy, it’s not the only method being used. Huntress says it also saw a fake Chrome update page with JavaScript comments in Russian, “suggesting a broader social engineering toolkit and a Russian-speaking developer.”

The campaign seems to be just the first step in a multi-stage attack. At this stage, the crooks are establishing a foothold and harvesting credentials, likely in preparation of ransomware deployment.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.