Tax scammers use Trojan Emotet to execute IRS W-9 tax form scam

April 6, 2023 - TuxCare PR Team

According to Malwarebytes, tax fraudsters are on the rise courtesy of the “Trojan Emotet” to carry out their operations. It is capable of intercepting network traffic and steal data, such as browser-stored user credentials.

A current scheme, according to Malwarebytes, involves a scam that uses the IRS W-9 tax form. The W-9 form is used by individuals to verify their personal information with the IRS, such as their name, address, and tax identification number. The W-9 is then used as a bait in this fraudulent operation to entice people to download malicious software.

Malwarebytes’ Senior Director of Threat Intelligence, Jerome Segura, discovered an email with the subject “IRS Tax Forms W-9.” The message claims to be from the “IRS Online Center,” and the email includes an attachment, W-9 form.zip, with very few words.

When the W-9 form.zip attachment is opened, a Word document named W-9 form.doc appears, which is 548,164 KB in size (548 MB). This size is especially suspect because it could indicate the presence of Emotet in the background. Malicious software developers inflate the size of the document to deceive or bypass security measures. The large size may make it difficult for security tools to grasp and scrutinize effectively.

Opening the document becomes a game of macro-related risk. Macros, used to automate aspects of documents, are a tried and tested way of infecting a PC with malware. When opening the W-9 form.doc, a message appears saying:

“This document is protected
Previewing is not available for protected documents. You have to press “enable editing” and “enable content” buttons to preview this document.”

Enabling these buttons will result in the download of Emotet onto the system.

The sources for this piece include an article in InfoSecurityMagazine.

Summary