All posts by Phish Net

Scam IRS emails deliver malware payload

Scammers are using fake IRS emails to launch attacks that download Kovter and CoreBot malware.

Just in time for tax season in the U.S., scammers are once again using fake emails from the Internal Revenue Service (IRS) to launch attacks. The latest phishing campaign, discovered by researchers at Heimdal Security, claims to inform recipients of a refund notification from the IRS.

According to a blog post by the research team at Heimdal Security, the emails deliver a very different kind of payload: an attachment that activates Windows PowerShell to download Kovter and CoreBot.

The spam email appears to be sent from the IRS and contains a subject line that reads: “Payment for tax refund # 00 [6 random numbers]” and contains a zip attachment that reads as: -> Tax_Refund_00654767.doc.js.

“If an unsuspecting user opens the attachment – and ignores several warnings – then the code will run on the machine with the privileges of the logged in user,” Andra Zaharia wrote on the Heimdal blog. “If you’re using your admin account on a daily basis, this may prompt you to reconsider.”

IRS spam emails are a popular method of attaining information from targets. Fake IRS email campaigns have used varied methods such as including links to web pages that download malware, emails that claim to contain stimulus payment information, and spear phishing emails that targeted corporate executives.


Be wary of fraudsters online or on the phone

Seán Kelly MEP is warning people to be wary of potential fraudsters trying to scam money online or over the phone by obtaining banking details, passwords and other personal information.

The Fine Gael MEP, who is a leading negotiator on EU Data Protection policy, says criminals are becoming more sophisticated and so are their phishing schemes: “Phishing emails, or emails sent by criminals seeking sensitive financial information like account details, used to be obviously fraudulent with poor spelling and inaccurate information or logos. But now, criminals are much more sophisticated and so are their scams.

“Just last month, a phishing email was sent to many Irish email addresses by fraudsters pretending to represent Electric Ireland stating that they were due a refund – asking for bank account information and a copy of their passport. It was very professional looking and even linked to some of the company’s real social media accounts. Thankfully, many recipients alerted the company who were quick to issue a warning via social media and through traditional media, preventing people being scammed.

“However, these scams are more and more common. Criminals are pretending to be from PayPal, Ebay, Banks and so on. I want to remind my constituents that bank and other financial institutions do not and will not send emails asking you to divulge your security passwords or codes.”

Mr Kelly advised those in receipt of suspicious emails not to respond, not to click on any links or open any attachments, and to report them to the authorities if necessary.

The Garda Bureau of Fraud Investigation is dealing with cases like this on a daily basis, according to Mr Kelly who says criminals are also calling landlines in some instances.

“Likewise, genuine banks or companies would never call their customers and ask for sensitive financial information. However, there is anecdotal evidence of some fraudsters calling people and pretending to be from a computer software company like Microsoft informing them there is a problem with their PC so they can access your information. One person who received such a call didn’t even own a PC!”

Mr Kelly added that if someone is uncomfortable or suspicious talking to an unknown caller, they should simply end the conversation and hang up the call.