Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    TrickBot Malware Targets Tax Filing Deadline, IBM Warns

    By
    SEAN MICHAEL KERNER
    -
    April 8, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Tax Return Fraud

      As the tax filing deadline of April 15 nears, attackers are ramping up their efforts to defraud Americans with a variety of scams.

      On April 8, IBM’s X-Force security research team reported a trio of sophisticated email campaigns that spoof major accounting and payroll firms in a bid to trick unsuspecting victims. The campaigns all make use of the TrickBot financial Trojan, which is able to steal financial information and banking information from victims’ systems.

      “These three campaigns were the top volume tax spam campaigns seen by IBM X-Force this year,” Limor Kessem, global executive security advisor at IBM Security, told eWEEK. “These emails appear to be more targeted than the other tax-related spam campaigns that we saw this year.”

      Among the three campaigns are two that specifically imitated ADP and Paychex—two of the largest payroll firms in the U.S. The third campaign involves a global accounting firm that asked not to be named by IBM. ADP, for its part, issued a warning on March 5 about the same campaign, advising its customers to be wary.

      According to IBM, the three campaigns all send phishing emails designed to deceive businesses and consumers into believing they are being contacted by one of the large payroll and accounting firms. The phishing emails all include a malicious Microsoft Excel spreadsheet that integrates the TrickBot Trojan. All the emails in the TrickBot tax campaign were received by victims during normal working hours in the U.S. between 11:45 a.m. and 3:45 p.m. ET.

      “While we don’t have data to detail how many victims fell for these campaigns, we can say that in 2016 the IRS estimated fraudsters made off with $1.6 billion in tax fraud,” Kessem said. “What makes me optimistic is that both the IRS and even these spoofed companies have made concerted efforts to raise awareness about the tactics cyber-criminals are using and [are] alerting users to these spam emails.”

      TrickBot

      TrickBot is a particularly “tricky” Trojan in that it actively spreads beyond just an initial infection to find other sources of information on a network. Kessem explained that while TrickBot is not as targeted as spear phishing, it can still have a significant impact.

      “TrickBot’s top target are business accounts, and once installed on a network, it will use its worm module to spread to additional users and devices,” she said. “To get an initial foothold, it only takes one unsuspecting user to open and launch the malware from a booby-trapped productivity file.”

      Tax time scams are not a new phenomenon and have been a regular occurrence for the past several years. The 2019 TrickBot attacks, however, represent a new level of sophistication and risk, according to IBM.

      “Usually what we see with tax spam are simpler and often poorly crafted emails asking the reader to open a malicious attachment,” Kessem said.

      She added that given that the spam delivers the TrickBot Trojan, one of the most prominent banking Trojans, it is most likely being pushed by the Necurs botnet—a longtime provider of spamming services to the cybercrime elite. Kessem said that Necurs is notorious for delivering specially crafted spam to spread malware while also targeting users of large, trusted payroll and accounting companies. 

      Detection

      Malware attachments are supposed to be detected by antivirus and spam filtering technologies, but that’s not what’s happening with all of the TrickBot tax scam emails. Kessem said that campaigns delivering banking Trojans of TrickBot’s caliber are carefully designed to avoid spam filters.  

      “Pushed to email recipients by other cyber-gangs, like the one operating the Necurs botnet, these emails do not deliver the final payload that could be detected as malware,” she explained. “Instead, they conceal malicious scripts inside productivity file macros that are harder to examine.”

      Kessem added that, in many cases, the TrickBot attackers even password-protect the files so that they cannot be examined by standard security controls. To be set loose, the file needs the recipient to click to enable the macros, unwittingly executing the malicious scripts that would scan the user’s device and only then fetch and run TrickBot. 

      “This layered methodology, kind of like a nesting doll idea, helps attackers get through controls that do not normally block productivity files from being sent around,” she said. “Another trick is for spam delivery botnets to constantly change the file types they use, opting for rarely used extensions that most out of the box solutions do not block.”

      While the current TrickBot scams are sophisticated, there are several best practices IBM recommends that organizations and individuals can take to limit the risk of being a victim of the TrickBot tax scam, including:

      • Disable macros by default in Office documents.
      • Use updated antivirus tools and make sure your current vendor has coverage for banking Trojans such as TrickBot.
      • If you receive an email claiming to be from your payroll vendor and you’re not sure if you can trust it, try logging into the provider’s website directly or calling your representative to confirm its validity.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×