Phishing campaign targets tax professionals
As the U.S. tax season comes to a close, Microsoft warns that a new phishing effort is targeting accounting companies and tax preparers, planting malware that allows hackers to get early access to business networks.
According to Microsoft, the effort has been active since February and aims to compromise accounting and tax preparation firms by disseminating the Remcos remote access trojan (RAT). To help tax professionals complete their returns, the campaign has sent phishing emails appearing to be from clients who are delivering documentation.
To escape detection by security software, the phishing emails included click-tracking service URLs. The receivers are directed to a file hosting site where they may download a ZIP archive masquerading as PDF files for various tax forms. These files, however, are Windows shortcuts that, when activated, launch PowerShell. PowerShell then downloads a strongly encrypted VBS file from a remote host, saves it to C:WindowsTasks, and executes it.
The Microsoft report stated that this campaign is unusual in that it only targets tax preparation firms and individuals. “The targets for this threat are exclusively organizations that deal with tax preparation, financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax.”
To avoid falling victim to this type of phishing campaign, Microsoft recommends that users enable the display of file extensions in Windows so they can identify suspicious files. However, Windows shortcuts are a special file type that uses the .lnk file extension but does not show the file extension when displayed in File Explorer. This makes detecting that a file is a shortcut in disguise more difficult. Listing files in File Explorer in ‘Details’ mode will show that it is a Windows Shortcut, making it easier to spot.
The sources for this piece include an article in BleepingComputer.