TrickBot Malware Targets Tax Filing Deadline, IBM Warns

IBM X-Force reveals that multiple malware campaigns are spoofing major accounting and payroll firms as the U.S. tax filing deadline nears.

Tax Return Fraud

As the tax filing deadline of April 15 nears, attackers are ramping up their efforts to defraud Americans with a variety of scams.

On April 8, IBM's X-Force security research team reported a trio of sophisticated email campaigns that spoof major accounting and payroll firms in a bid to trick unsuspecting victims. The campaigns all make use of the TrickBot financial Trojan, which is able to steal financial information and banking information from victims' systems.

"These three campaigns were the top volume tax spam campaigns seen by IBM X-Force this year," Limor Kessem, global executive security advisor at IBM Security, told eWEEK. "These emails appear to be more targeted than the other tax-related spam campaigns that we saw this year."

Among the three campaigns are two that specifically imitated ADP and Paychex—two of the largest payroll firms in the U.S. The third campaign involves a global accounting firm that asked not to be named by IBM. ADP, for its part, issued a warning on March 5 about the same campaign, advising its customers to be wary.

According to IBM, the three campaigns all send phishing emails designed to deceive businesses and consumers into believing they are being contacted by one of the large payroll and accounting firms. The phishing emails all include a malicious Microsoft Excel spreadsheet that integrates the TrickBot Trojan. All the emails in the TrickBot tax campaign were received by victims during normal working hours in the U.S. between 11:45 a.m. and 3:45 p.m. ET.

"While we don't have data to detail how many victims fell for these campaigns, we can say that in 2016 the IRS estimated fraudsters made off with $1.6 billion in tax fraud," Kessem said. "What makes me optimistic is that both the IRS and even these spoofed companies have made concerted efforts to raise awareness about the tactics cyber-criminals are using and [are] alerting users to these spam emails."


TrickBot is a particularly "tricky" Trojan in that it actively spreads beyond just an initial infection to find other sources of information on a network. Kessem explained that while TrickBot is not as targeted as spear phishing, it can still have a significant impact.

"TrickBot's top target are business accounts, and once installed on a network, it will use its worm module to spread to additional users and devices," she said. "To get an initial foothold, it only takes one unsuspecting user to open and launch the malware from a booby-trapped productivity file."

Tax time scams are not a new phenomenon and have been a regular occurrence for the past several years. The 2019 TrickBot attacks, however, represent a new level of sophistication and risk, according to IBM.

"Usually what we see with tax spam are simpler and often poorly crafted emails asking the reader to open a malicious attachment," Kessem said.

She added that given that the spam delivers the TrickBot Trojan, one of the most prominent banking Trojans, it is most likely being pushed by the Necurs botnet—a longtime provider of spamming services to the cybercrime elite. Kessem said that Necurs is notorious for delivering specially crafted spam to spread malware while also targeting users of large, trusted payroll and accounting companies. 


Malware attachments are supposed to be detected by antivirus and spam filtering technologies, but that's not what's happening with all of the TrickBot tax scam emails. Kessem said that campaigns delivering banking Trojans of TrickBot’s caliber are carefully designed to avoid spam filters.  

"Pushed to email recipients by other cyber-gangs, like the one operating the Necurs botnet, these emails do not deliver the final payload that could be detected as malware," she explained. "Instead, they conceal malicious scripts inside productivity file macros that are harder to examine."

Kessem added that, in many cases, the TrickBot attackers even password-protect the files so that they cannot be examined by standard security controls. To be set loose, the file needs the recipient to click to enable the macros, unwittingly executing the malicious scripts that would scan the user’s device and only then fetch and run TrickBot. 

"This layered methodology, kind of like a nesting doll idea, helps attackers get through controls that do not normally block productivity files from being sent around," she said. "Another trick is for spam delivery botnets to constantly change the file types they use, opting for rarely used extensions that most out of the box solutions do not block."

While the current TrickBot scams are sophisticated, there are several best practices IBM recommends that organizations and individuals can take to limit the risk of being a victim of the TrickBot tax scam, including:

  • Disable macros by default in Office documents.
  • Use updated antivirus tools and make sure your current vendor has coverage for banking Trojans such as TrickBot.
  • If you receive an email claiming to be from your payroll vendor and you're not sure if you can trust it, try logging into the provider’s website directly or calling your representative to confirm its validity.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.