Security News > 2021 > March > New phishing campaign targets taxpayer credentials

New phishing campaign targets taxpayer credentials
2021-03-19 04:30

A new phishing campaign is targeting U.S. taxpayers with documents that purport to contain tax-related content, but ultimately deliver NetWire and Remcos malware - two prolific remote access trojans which allows attackers to take control of victims' machines through a new phishing email scheme, Cybereason discovered.

The new infection process is designed to evade antivirus tools and tricks targets into installing the malware via a tax-themed Word Document containing a malicious macro that downloads an OpenVPN client on the targeted machine.

Key findings Threat actors at work: Since the beginning of the year or earlier, threat actors have been luring early tax filers into opening malicious attachments via email - with the filing deadline around the corner, they are making one more push.

"Social engineering via phishing emails continues to be the preferred infection method among both cybercriminals and nation-state threat actors. The potential for damage is serious and the malware allows threat actors to gain full control over a victim's machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the U.S. tax season to infect targets at will," said Assaf Dahan, senior director and head of threat research at Cybereason.

Tips to enhance safety when filing tax returns Don't click on links or open attachments in email: The threat actors use social engineering to steal sensitive information because a large percentage of targets will click on links or open attachments in their email without thinking twice.

Call the company or go directly to the company's website to look for related info: If you receive an email or correspondence related to tax filing, consumers should call the company directly to confirm if they are communicating to customers via email.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ZSiwnXXYdYQ/