Latest Tax Scams Target Apps and Tax-Prep Websites

Traditional e-mail based scams are also in the mix this year, one in particular that uses the legitimate app TeamViewer to take over victims’ systems.

This tax season crooks are targeting users with a new crop of scams that include leveraging remote desktop software and compromising small tax-prep company websites.

“If you have the word ‘tax’ in your domain name; you’re a target this year,” warns Sherrod DeGrippo, senior director of threat research and detection at Proofpoint in a report released Wednesday.

The attacks are emerging alongside the traditional e-mail based attacks that try to trick users into installing malware that can steal credentials or take control of systems. One of the new target tax scams leverage the legitimate TeamViewer remote-control app to do its dirty work, he wrote. Other email-based attacks this year leverage more traditional malware like The Trick banking trojan.

Attackers this year are focusing on smaller tax-preparation firms probably because “smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they’ve happened,” he wrote.

Some rather unlikely sectors emerged as more likely threats during the 2019 tax season—in particular, the construction industry which, alongside financial firms, are at higher risk of attack this year, he said. “The construction industry targeting in particular is a reminder that no one sector is immune,” DeGrippo wrote.

Attacks on these legitimate small-business sites observed by Proofpoint this year target ones with unpatched and out-of-date WordPress or other content-management installations to take control of the sites to distribute malware to people visiting the sites, according to the post.

“Attackers use these vulnerabilities to get access to the site, make changes to the sites’ webpages in ways that can only be seen if you view the sites raw HTML,” he wrote. “This hides the compromise from visitors as well as site owners who don’t know HTML well enough to recognize the change or what it means.”

Once they access a site’s code, attackers plant malicious code–often hosted somewhere else to cover their tracks–that will try to download malware on to the systems of site visitors, DeGrippo said.

The other type of notable threats this year are an old tactic used by threat actors–tax-themed emails with malicious attachments. However, nowadays they show more sophistication in how legitimate they appear to victims, according to Proofpoint.

In some cases, threat actors are even using data they’ve stolen or bought to tailor it to the recipient to make it more believable, DeGrippo said. One such threat observed by Proofpoint shows an attacker posing as someone they already know and cites a conversation the recipient had with the sender, alleging that the message’s attachment—a Word document that enables macros– is one the victim requested.

If the recipient clicks on the attachment, the document installs TeamViewer, a legitimate remote control application that attackers frequently abuse because it often goes undetected by malware protections, DeGrippo wrote.

“In this case, once TeamViewer is installed, the attackers are able to completely control the recipient’s computer, giving them complete access to all the information on that computer including banking and investment accounts,” he wrote.

Researchers also observed other malicious email campaigns that use attachments claiming to have tax-related attachments such as W2, W4 and 1099 tax forms to trick users into clicking on them and installing more traditional malware, DeGrippo wrote.

“In one campaign like this, we saw over 5,000 messages over the span of three days targeting financial firms and manufacturing companies” that tried to lure users with references to actual actions that are relevant during tax season, he said.

These include the following messages that people should be wary of: “Important changes, filing due date and charges to form 1099;” “Important adjustments, filing due date and fees to form 1099;” or “Significant adjustments, submitting deadline and fees to form 1099.”

If users click on macros-enabled MS Word documents attached to these messages, they download “The Trick,” a commonly used banking Trojan that steals banking and other financial information, onto a victim’s system, DeGrippo wrote.

Proofpoint urged people to treating all tax-themed attachments as potentially hostile to avoid these scams this year. The company also advised those who own tax preparation and accounting companies to bolster protections by ensuring their sites are hosted with providers that keep their sites patched and handle security for them.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles