The tax scam season: What to watch out for

The tax season is a popular time for cybercriminals to strike -- but the risk of phishing campaigns is yet to come to an end.
Written by Charlie Osborne, Contributing Writer
Trend Micro

The tax season has been and gone -- but what campaigns, tricks and malware is still used to try and lure victims to part with their sensitive data?

Every year, there is a collective groan when we realize it is the season to start sorting out our accounts and filing tax paperwork. On the other hand, cyberattack groups rub their hands in glee, as the time period can prove to be a lucrative season in which to steal data and empty our bank accounts.

While standard phishing campaigns -- emails sent pretending to be legitimate sources in order to deliver malicious code to PCs -- range from long-lost uncles in Africa requesting our bank details to fake PayPal and banking messages, the tax season is also hijacked by these same threat actors, masquerading as government officials seeking additional information.

Sadly, many victims who do not see fraudulent emails for what they are often fall prey to these schemes.

In a new research paper posted by Trend Micro, the workings behind these phishing campaigns and scams has been examined in depth. The security team discovered that Internal Revenue Service (IRS) scams, focused on US consumers, normally begin with mass email campaigns shortly before or after the tax filing season. The emails often ask readers to open a malicious attachment or to click a link which leads to malicious pages or files, a common and simple method used in scams today.


The report (.PDF) says that malware delivered to systems are usually Trojans or remote access Trojans (RATs) which could give attackers access to account details, allow them to download additional malware such as keyloggers, and steal valuable sensitive information.

The security team secured and tested samples of today's phishing emails, using sandbox technology to dissect malicious code. Trend Micro found that many files were strikingly similar and used mutexs -- objects which allow multiple program threads to share the same resource -- and a number of Trojan kits were connected. At least five Trojan and keylogger toolkits have been linked to tax season phishing campaigns, including DarkComet, Pony Loader, ZeuS, HawkEye Keylogger and Limitless Keylogger.

Among the variants was a malicious file which dropped HACK PAYPAL.EXE and TESTV2.EXE, which when executed, increased the balances of PayPal accounts and injected malicious processes into the Windows Task manager program. This, in turn, allows keyloggers to be installed.

A separate variant drops a number of files, including tools which obtain Facebook passwords, phish for data and drop keylogging software disguised under the name Google.exe.

See also: PhishMe raises $13m to train enterprise staff in phishing detection

After examining hash trails, the security team says that they have identified three possible IRS tax scammers -- two individuals and one group -- of which one person, a Malaysian national, may allegedly have recruited people in the US to work as mules for tax scams.

Trend Micro recommends that US consumers note the IRS will never ask you to part with personal or sensitive information by email, call immediately to demand payment or pay your taxes without the right to appeal. Keep this in mind, don't panic, and give them a call directly.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards