As Tax Day approaches, Proofpoint called attention to an increase in tax-related malware and phishing campaigns in a blog post on Wednesday. The company noted that popular campaigns including malware payloads are popular, with a focus on remote access Trojans (RATs), downloaders, and banking Trojans, as well as more traditional phishing campaigns. Proofpoint specifically called out scams where the cybercriminals target U.S. victims using Internal Revenue Service form names in the emails in an effort to get victims to download malicious files, but have foreign top-level domains. Additionally, Proofpoint noted that scammers will use stolen branding and seemingly legitimate privacy language to “convince victims to open an attached spreadsheet with malicious macros that install The Trick [a banking Trojan] when they are enabled.” Proofpoint also noted a new spin on phishing campaigns in which cybercriminals sent emails with “HTML attachments or URLs that linked victims to spoofed login pages and online forms with stolen branding from the IRS and other local tax authorities. To ensure that the phishing attempts remained undetected, actors often redirected victims to the official tax authority websites after stealing their credentials. As a result, many victims were likely unaware that they had just disclosed their tax information to phishers.”
