With the filing deadline for taxes fast approaching, malicious actors are taking advantage of the rush by launching tax-themed spam campaigns to infect potential victims with banking trojans such as TrickBot, which tries to collect as much data as possible, with the aim of stealing account credentials for banking websites. Newer variants of TrickBot are capable of stealing credentials for Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and PuTTY terminal emulator sessions.
The TrickBot campaign is particularly troublesome, as researchers at IBM note that most campaigns in comparison are “plain, poorly-crafted emails asking recipients to open a malicious attachment. The sending address is commonly a free webmail address, and the message gives away the game with obvious clues that it is likely a malspam (malware spam).” In contrast, the TrickBot campaign is a well-crafted one, as “the attackers took extra steps to improve their deception techniques, from the way they crafted the messages, to the brands they chose to impersonate.”
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
One of the tools used in the attack is typo-squatting, the practice of using similar-looking domain names as the target domain to make it appear as if the originating domain is genuine.
IBM researchers offered the following tips for security teams to avoid the potential for damage of email-delivered malware:
- Disable macros by default in Office documents.
- Block all URL and IP-based indicators of compromise (IOC) at the firewall, IDS, web gateways, routers or other perimeter-based devices.
- Use updated antivirus and make sure your current vendor has coverage for banking Trojans such as TrickBot.
- Search for existing signs of the indicated IOCs in your environment and email systems.
- Keep all critical and non-critical systems up to date and patched.
- Report suspected tax scams to the IRS at firstname.lastname@example.org. You can also file a complaint with the U.S. Federal Trade Commission (FTC).
Likewise, IBM offered these tips for users to protect themselves against unwittingly falling victim to email-delivered malware campaigns:
- Snail mail only: The US Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, phone, text messages, or social media channels to request personal or financial information. Do not respond to such requests.
- Do not open unsolicited emails, do not click on links within such emails, or open attachments coming from unknown senders. Most malware-laden emails will ask users to enable macros–avoid doing that.
- If you receive an email claiming to be from your payroll vendor and you’re not sure if you can trust it, try logging into the provider’s website directly or calling your representative to confirm its validity.
- Even in the case of known senders, be careful about opening email attachments (especially ZIP or RAR archives and Office documents). Ideally, verify with the sender before opening any attachments.
For more, check out TechRepublic’s advice on how to prevent spear phishing attacks: 8 tips for your business.