As tax filing deadlines approach, we always see an increase of tax-themed attacks and this year is no exception. Everyone should be on guard as attacks posing as IRS notifications and tax preparation companies are prevalent. However, it is also important to remember that the tax preparers themselves are at a heightened risk. The potential troves of sensitive data which could be exposed through a malware breach on a CPA or Tax Service network makes for an extremely attractive target for malicious actors. And given the nature of what they do with taking on unknown clients and receiving financial documents they must remain extremely vigilant.
One threat group we have observed targeting CPA firms in recent years past we again recently spotted using similar tactics as in recent years to infect targets with a remote access trojan. This example purports to be tax documents attached and contains a link to a zip file download.
If the user downloads and extracts the ZIP archive, they will see two pdf files and two batch files within. The pdf files were to make the attack look more legitimate as they contain images of a legitimate driver’s license and social security card, presumably stolen. However, if either of the batch files are executed it would kick off the XWorm (remote access trojan) infection chain on the victim’s machine. Cracked versions of XWorm have been leaked on GitHub making it freely available for any threat actor.
Often these threat actors will pre-text the actual malware attack with a technically harmless message inquiring about availability and/or services offered. Below is an example of one such message, which the attacker will follow up with an email containing malware posing as financial documents.
Everyone should always be extremely vigilant with tax related email communications but especially at this time of the year. CPAs and tax preparation services themselves need to be aware of these threats and implement stringent controls on email requests and received documents. For individuals, remember the IRS will never ask you to take action on any tax requirements via an unsolicited email. If you are receiving an email notification of any sort from your tax servicer of choice, it is always best you avoid clicking any links within the email and instead navigate to their site directly.