It’s still relatively early in the year, but bad actors are already targeting accounting and finance organizations as well as filers in the United States with tax-related scams.
Researchers at cybersecurity company Proofpoint wrote in a report this week that the return of tax season reliably brought the threat group TA576 back into action.
“TA576 is the most consistent actor in terms of exclusively leveraging tax-themed lures in its social engineering to deliver malware,” Selena Larson, senior threat intelligence analyst at Proofpoint, told Security Boulevard. “We see them annually return in the first quarter of the year, targeting organizations in North America.”
Given the amount of money changing hands between tax preparers, filers, and the Internal Revenue Service (IRS), and the pages of personal information in tax documents, it’s not surprising that tax season draws cybercriminals.
The IRS has a growing list of types of tax scams aimed at various players, including taxpayers and myriad organizations involved in the process. The campaigns touch on just about every tax-related subject, from unclaimed funds and W2 forms to charity donations and fake IRS calls.
“Thousands of people have lost millions of dollars and their personal information to tax scams,” the agency says on its website. “Scammers use the regular mail, telephone and email to set up individuals, businesses, payroll and tax professionals.”
Proofpoint’s Larson said tax season scams are similar to other attacks that attach themselves to sporting events, natural disasters, and similar high-profile situations.
“In addition to content purporting to be tax preparing agents, we regularly see spoofing of official agencies such as the IRS and official tax forms leveraged as both malicious attachments,” she said. “Each year, typically from January through April, Proofpoint observes an increase in tax-themed content to deliver malware as well as credential phishing.”
The number of attacks and the themes are consistent and “you can anticipate like clockwork when threat actors will start using this type of theme in social engineering,” Larson added. “We expect to see similar campaigns for the foreseeable future.”
TA576 is among the most prominent of the tax-focused bad actors, typically active in the first months of the year with low-volume email campaigns. Proofpoint already has seen two of the group’s campaigns this month using tax-themed lures that target accounting and finance companies. The cybercriminals begin their attacks by sending seemingly harmless emails to organizations requesting help with tax preparation.
The group sends the emails from a compromised account, though included is a reply-to address to a recently registered domain that most likely belongs to the attackers. In the email, the bad actors usually include a backstory for their request, such as saying that their previous tax preparer sold their practice and the replacement messed up the previous year’s returns.
They offer to send their previous year’s tax returns for review and to set a price for preparing this year’s taxes. If the target replies, the bad actor responds with a malicious Google Firebase URL.
“If the URL was clicked, it redirected to the download of a zipped shortcut (LNK) file,” Larson and Proofpoint threat researcher Tommy Madjar wrote in their report. “If this shortcut was executed, it ran encoded PowerShell via the SyncAppvPublishingServer.vbs LOLBAS inject. The PowerShell command launched Mshta to run the HTML application (HTA) payload from a provided URL.”
They added that “Living Off The Land Binaries, Scripts and Libraries (LOLBAS) techniques are becoming increasingly popular among cybercriminal threats.”
The goal is to deliver remote access trojans (RATs), and Larson and Madjar wrote that the campaigns this year marked the first time TA576 delivered the Parallax RAT, which was first detected in 2020, targets Windows systems, and can evade detection, steal credentials, and execute remote commands, Morphisec Labs wrote that year.
It also was by attackers during the pandemic, using news about the public health emergency to entice victims to open COVID-19-related emails.
“In the case of TA576, the ultimate objective is unknown,” Larson said. “However, the Parallax RAT payload can be used for remote access to a host machine to collect information, install follow-on payloads, or potentially enable lateral movement across a network. We assess TA576 is a financially motivated threat actor.”
The IRS also this month is warning tax preparers to beware of such new-client scams, with agency Commissioner Danny Werfel saying that what fraudsters want “is help themselves to the sensitive client data of tax professionals. We urge tax professionals and their employees to be extra cautious when receiving unexpected email solicitations and avoid clicking on links or opening attachments.”
Such new client scams are becoming a problem, accounting for about two-thirds of the 400 reports about business email compromise (BEC) or spoofing (BES) complaints to IRS offices last year.
Proofpoint has tracked TA576 since 2018 and while through group has been seen primarily targeting accounting and financial entities, it’s been known to focus on related industries, such as legal.
The cybersecurity firm also has seen at least one other group, TA558, and unattributed threat clusters leverage tax themes this month and Larson and Madjar wrote that they expect to see more as things move closer to the April 15 filing deadline.
“TA576’s unique attack chain demonstrates behaviors that are increasingly used by cybercrime threat actors, including ‘living off the land’ techniques using existing scripts and services on a host to conduct malicious activities and chaining multiple PowerShell scripts together before the final payload execution,” they wrote. “This is part of the trend featuring more creativity and attack chain experimentation among cybercrime threat actors.”
Recent Articles By Author