Boston-based cybersecurity firm Cybereason says it has identified a new hacking campaign designed to capitalize on users’ tax anxieties with spear-phishing emails that purport to contain tax documents, but actually unleash malware.
Their goal, the firm said, is to take over users computers when they click on the documents and links, steal personally identifiable information, and even to go as far as rerouting and stealing tax refunds.
Here’s how the scam allegedly works: Hackers include documents in the emails that appear to be tax documents. When opened, the documents appear blurry, and a prompt tells the user: “Can’t view the content?” It instructs them to click “enable editing” on a menu bar – a click that will actually allow the malware to run on the user’s computer. Once in, the hackers can search for personal data, take over the tax filing process, or even jump from a user’s personal computer to a work machine they may also be using at home.
It was not clear how many people have been targeted by the scam this year.
Cybereason CEO Lior Div said hackers often try to use events in the news to trick users into clicking, and Tax Day is just their latest hook. “They’re trying to convince you to click as much as possible,” he said. “When it’s related to IRS, the probability that you will click is high because everybody is nervous about it but wants to make sure they’re doing it right. And when it’s happening, you just click and you don’t think twice.”
Clicking on the documents unleashes two remote access trojans, called NetWire and Remcos. And Cybereason said those two trojans are examples of what’s called “malware as a service,” with specialty hackers developing cutting-edge hacking tools and then licensing those tools – for a fee – to other criminals who actually execute the attacks.
Websites offering these malware service packages can look just like the evil twins of regular software companies, offering “add to cart” buttons, licenses per user, service packages, and even promotions and sales.
Div said some hackers offer their criminal customers 24/7 help desks to call for support if they’re having difficulty executing their cyberattacks.
“If you don’t know how to use it, they’ll explain how to use the malware,” he said. And they’ve solved another problem: the language barrier. Because hackers operate in many languages around the globe, Div said the hacker help desks he has called now offer multilingual hacking experts and a telephone prompt just like you’d hear at any legal software company: press one for English, press two for Spanish.
All of this has become a huge business. Div estimates that such malware as a service has generated as much as a billion dollars in revenue over the past two years.
He expects that the latest spear-phishing campaign will escalate as Tax Day approaches – and could ultimately involve millions of bogus emails. And with Tax Day postponed in the U.S. to May 17 from the traditional April 15, he said, that just offers the bad guys more time to rake in the bucks.