Microsoft warned Monday this year’s crop of tax scams are using social engineering attacks based on fear to spread Zdowbot and Omaneat banking Trojans and collect personal info via spoofed tax sites linked to from phishing campaigns.
The warning comes with less than a month before the April 18 tax deadline and add to an already busy tax season of scams reported by various security experts and the U.S. Internal Revenue Service.
“These attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April,” warned Microsoft on its Malware Protection Center blog.
Email ploys reported by Microsoft include messages with the subject lines “You are eligible!” and “Confirmation of your tax refund” and “Subpoena from IRS”. Microsoft says scammers are also targeting certified public accountants with email subject lines “I need a CPA”.
In one tax-based scam example, Microsoft found a malicious Word document contained in an email that warn recipients they face pending tax-related law enforcement action. A malicious Word document, identified as a subpoena, accompanies the email. If the file attachment is opened, the Word document displays in a Protected View mode and prompts the target of the attack to enable editing.
“If Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C,” Microsoft said. Next, attackers attempt to install malware that is part of the Zdowbot family of Trojan downloaders.
Another scam targets CPA tax preparation experts in hopes of infecting PCs filled with third-party tax data with the Omaneat family of info-stealing malware. Email with the subject line “I need a CPA” contain the fraudulent plea: “I need a careful and experienced high quality accountant, to handle all matters of accounting including tax preparation..”
The email includes an attachment called “tax-infor.doc” that contains a malicious macro code. If a recipient ignores Microsoft’s warning message regarding not enabling content, the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe. “These threats can log keystrokes, monitor the applications you open, and track your web browsing history,” according to Microsoft.
Tax scammers are also luring victims with threats. One email reads “Info on your debt and overdue payments” in the subject line. Emails don’t include attachments, rather they include warnings from the sender that purports to be from the IRS and its Realty Tax Department. The email prompts recipients to visit a website that contains a personalized report on their delinquent realty taxes. The message warns action is needed within 24 hours to avoid “significant charges and fines.” The link is to a phishing page.
“As the examples show, phishing and malware attacks target both professional and individual taxpayers,” Microsoft said. It cited media reports of a recent government contractor that fell victim to a spear phishing scam, resulting in the exposure of current and former employees’ sensitive tax information.
“These attacks rely on social engineering tactics — you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links,” Microsoft said.