The tax scam season: What to watch out for

POS threat 'Punkey' allows additional malware download for greater access
April 17, 2015
HTTPS snooping flaw in third-party library affected 1,000 iOS apps with millions of users
April 21, 2015

20 April 2015

The tax season has been and gone — but what campaigns, tricks and malware is still used to try and lure victims to part with their sensitive data?

Every year, there is a collective groan when we realize it is the season to start sorting out our accounts and filing tax paperwork. On the other hand, cyberattack groups rub their hands in glee, as the time period can prove to be a lucrative season in which to steal data and empty our bank accounts.

While standard phishing campaigns — emails sent pretending to be legitimate sources in order to deliver malicious code to PCs — range from long-lost uncles in Africa requesting our bank details to fake PayPal and banking messages, the tax season is also hijacked by these same threat actors, masquerading as government officials seeking additional information.

Sadly, many victims who do not see fraudulent emails for what they are often fall prey to these schemes.

In a new research paper posted by Trend Micro, the workings behind these phishing campaigns and scams has been examined in depth. The security team discovered that Internal Revenue Service (IRS) scams, focused on US consumers, normally begin with mass email campaigns shortly before or after the tax filing season. The emails often ask readers to open a malicious attachment or to click a link which leads to malicious pages or files, a common and simple method used in scams today.


The report (.PDF) says that malware delivered to systems are usually Trojans or remote access Trojans (RATs) which could give attackers access to account details, allow them to download additional malware such as keyloggers, and steal valuable sensitive information.

The security team secured and tested samples of today’s phishing emails, using sandbox technology to dissect malicious code. Trend Micro found that many files were strikingly similar and used mutexs — objects which allow multiple program threads to share the same resource — and a number of Trojan kits were connected. At least five Trojan and keylogger toolkits have been linked to tax season phishing campaigns, including DarkComet, Pony Loader, ZeuS, HawkEye Keylogger and Limitless Keylogger.

Among the variants was a malicious file which dropped HACK PAYPAL.EXE and TESTV2.EXE, which when executed, increased the balances of PayPal accounts and injected malicious processes into the Windows Task manager program. This, in turn, allows keyloggers to be installed.

A separate variant drops a number of files, including tools which obtain Facebook passwords, phish for data and drop keylogging software disguised under the name Google.exe.

After examining hash trails, the security team says that they have identified three possible IRS tax scammers — two individuals and one group — of which one person, a Malaysian national, may allegedly have recruited people in the US to work as mules for tax scams.

Trend Micro recommends that US consumers note the IRS will never ask you to part with personal or sensitive information by email, call immediately to demand payment or pay your taxes without the right to appeal. Keep this in mind, don’t panic, and give them a call directly.

Source –



Request Demo