{"id":7037,"date":"2017-03-20T05:00:35","date_gmt":"2017-03-20T13:00:35","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/20\/news-828\/"},"modified":"2017-03-20T05:00:35","modified_gmt":"2017-03-20T13:00:35","slug":"news-828","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/20\/news-828\/","title":{"rendered":"Tax-themed phishing and malware attacks proliferate during the tax filing season"},"content":{"rendered":"

Credit to Author: msft-mmpc| Date: Mon, 20 Mar 2017 12:50:12 +0000<\/strong><\/p>\n

Tax-themed\u00a0scams and social engineering attacks are as certain as\u00a0(death or) tax\u00a0itself. Every year we see these attacks, and 2017 is no different.<\/p>\n

These attacks\u00a0circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but\u00a0they peak in the months leading to U.S. Tax Day in mid-April.<\/p>\n

Cybercriminals are using a variety of social engineering tactics related to different scenarios\u00a0associated with\u00a0tax filing, in order to get you to click links or open malicious attachments.<\/p>\n

Here are some recent examples we\u2019ve seen. The best defense is awareness: no matter what stage you are in your tax filing and wherever you are in the world, don\u2019t fall for these social engineering attacks.<\/p>\n

Tax refund: \u201cYou are eligible!\u201d<\/h2>\n

An enticing bait attackers use says that you\u2019re eligible for a refund. We\u2019re\u00a0seeing several phishing campaigns targeting taxpayers in the United Kingdom, where tax filing season ended in January. These attacks are targeting people who might be waiting for information about their tax refund.<\/p>\n

These kinds of phishing emails pretend to come from HM Revenue and Customs, the tax collection body in the UK. These mails vary in how legitimate they appear, but in all cases the attackers want you to click a link in the mail. The\u00a0link points to a phishing page that will ask\u00a0for\u00a0sensitive information.<\/p>\n

\"tax-social-engineering-email-malware-4\"<\/p>\n

\"tax-social-engineering-email-malware-5\"<\/p>\n

\"tax-social-engineering-email-malware-6\"<\/p>\n

If your default browser is Microsoft Edge<\/a>, Microsoft SmartScreen<\/a>\u00a0will automatically block access to these phishing sites. Internet Explorer also includes Microsoft SmartScreen.<\/p>\n

\"tax-social-engineering-email-malware-smartscreen\"<\/p>\n

Tax filed: \u201cPayment has been debited from your account\u201d<\/h2>\n

Another cybercriminal tactic is to pretend to deliver a receipt for taxes filed. A recent example is a malicious email with the subject \u201cRs. 73,250 TDS Payment Has Been Debited from your Account\u201d<\/em>. TDS refers to Tax Deducted at Source, which is the method of collecting tax in India.<\/p>\n

The message body says, \u201cKindly download and view your receipt below attached to this email.\u201d<\/em> The attachment plays the part and bears the name Income Tax Receipt.zip<\/em>.<\/p>\n

\"tax-social-engineering-email-malware-3\"<\/p>\n

Inside the .zip is the file Income Tax Receipt.scr<\/em>, which is really a banking Trojan detected by Windows Defender Antivirus\u00a0as TrojanSpy:Win32\/Bancos.XN<\/a>.<\/p>\n

The payload Trojan is part of a family of keyloggers. When it runs, it logs all keystrokes and sends these to an attacker. From the keystrokes, an attacker can then collect sensitive info like user names and passwords\u00a0for online banking, email, social media, and other online accounts.<\/p>\n

SHA1: 89c5248a989c79fdff943c7c896aeaee4175730d<\/p>\n

Tax overdue: \u201cInfo on your debt and overdue payments\u201d<\/h2>\n

Some\u00a0tactics are more threatening.\u00a0One example\u00a0accuses the recipient of having overdue tax.<\/p>\n

This threat can cause the recipient to panic and click a link in the email without thinking things through. We monitored an attack that targets taxpayers in the US and accused recipients of overdue tax and that action needed to be taken immediately. The link in the email is, of course, a phishing page.<\/p>\n

\"tax-social-engineering-email-malware-7\"<\/p>\n

Again, Microsoft SmartScreen\u00a0blocks access to this phishing page.<\/p>\n

Tax evasion: \u201cSubpoena from IRS\u201d<\/h2>\n

Some attacks use fear as bait. One such bait tells recipients that there\u2019s pending law enforcement action against them. We saw an example of this sent to U.S. taxpayers. It pretends to contain information about a subpoena, asking \u201cWhat should we do regarding the subpoena from IRS?\u201d<\/p>\n

\"tax-social-engineering-email-malware-8\"<\/p>\n

The attachment is a document file\u00a0that\u00a0Microsoft Word opens\u00a0in Protected View<\/em>. The attackers expected this, so the document contains an instruction to Enable Editing.<\/p>\n

\"tax-social-engineering-email-malware-9\"<\/p>\n

If\u00a0Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32\/Zdowbot.C<\/a>.<\/p>\n

Zdowbot is a family of Trojan downloaders. They connect to a remote host and wait for commands.\u00a0In addition to\u00a0downloading and installing other malware, they can send information about your PC to a remote attacker.<\/p>\n

SHA1:7a46f903850e719420ee19dd189418467cb8af40<\/p>\n

Tax preparation: \u201cI need a CPA\u201d<\/h2>\n

Some\u00a0attacks are\u00a0relevant during the early part of the tax filing process. We saw an attack this year that targets accountants in the U.S., given\u00a0the timing\u00a0and the information in the email referencing the IRS.<\/p>\n

The attack\u00a0pretends to be coming from somebody seeking the services of a CPA. It\u00a0includes an attachment named tax-infor.doc<\/em>.<\/p>\n

\"tax-social-engineering-email-malware-1\"<\/p>\n

The attachment is a document with malicious macro code.\u00a0Macros should be disabled by\u00a0default\u00a0(as is the best practice). When the attachment opens,\u00a0Microsoft Word issues a warning. To encourage you to enable macros, the document displays\u00a0a fake\u00a0message box that says \u201cPlease enable Editing and Content to see this document\u201d<\/em>. The fake message box is\u00a0designed to look like it’s part\u00a0of Microsoft Word, but it’s really part of the document itself.<\/p>\n

\"tax-social-engineering-email-malware-2\"<\/p>\n

If you fall for the ruse and enable macros, then the malicious macro downloads the malware TrojanSpy:MSIL\/Omaneat <\/a>from hxxp:\/\/193[.]150[.]13[.]140\/1.exe.<\/p>\n

Omaneat is a family of info-stealing malware. These threats can log keystrokes, monitor the applications you open, and track your web browsing history.<\/p>\n

SHA1: ffc06b87eed545df632b61b2a32ef36216eb697d<\/p>\n

How to stay safe from social engineering attacks<\/h2>\n

Tax-themed\u00a0malware and phishing\u00a0attacks\u00a0highlight an important truth: most cybercrime is after your hard-earned money.<\/p>\n

But these\u00a0attacks rely\u00a0on social engineering tactics —\u00a0you can detect them if you know what to look for.\u00a0Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links. Some malicious emails may be spoofing the sender.<\/p>\n

The built-in security technologies in Windows 10<\/a> can help protect you from these attacks. Keep your computers up-to-date.<\/a><\/p>\n

Enable Windows Defender Antivirus<\/a> to detect malware that arrive via email messages using tax filing as bait. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.<\/p>\n

Practice safe browsing habits. We recommend Microsoft Edge<\/a>. It blocks known phishing and other malicious sites using Microsoft SmartScreen<\/a>.<\/p>\n

Additional protection is available for businesses running Windows 10 and Office products.<\/p>\n

Use Office 365 Advanced Threat Protection<\/a>, which has machine learning capability that blocks dangerous email threats, such as social engineering emails that carry malware or phishing links.<\/p>\n

Use Device Guard<\/a> to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run.<\/p>\n

IT administrators can\u00a0use Group Policy in Office 2016 <\/a>to block known malicious macros, such as the documents used in these social engineering attacks, from running.<\/p>\n

For more information, download and read this Microsoft e-book on preventing social engineering attacks<\/a>, especially in enterprise environments.<\/p>\n

 <\/p>\n

Jeong Mun and Francis Tan Seng<\/em><\/p>\n

MMPC<\/em><\/p>\n

https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: msft-mmpc| Date: Mon, 20 Mar 2017 12:50:12 +0000<\/strong><\/p>\n

Tax-themed\u00a0scams and social engineering attacks are as certain as\u00a0(death or) tax\u00a0itself. Every year we see these attacks, and 2017 is no different. These attacks\u00a0circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but\u00a0they peak in the months leading to U.S. Tax Day in mid-April. Cybercriminals are using a variety of…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10760,10806,3924,10510,10518,11683,10761],"class_list":["post-7037","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-macro-based-malware","tag-phishing","tag-social-engineering","tag-spam","tag-tax-themed-attacks","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7037","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7037"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7037\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7037"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}