Tax Return-themed Emails make Users in America the Target of Ransomware – Attackers sending genuine-looking Internal Revenue Service (IRS) tax refund messages.
Today, when the culture of filing tax reports in the United States has come to an end, cybercriminals have instigated their phishing lure and are busy distributing fake emails that appear to be from the IRS about pending refunds.
Cybercriminals are relying upon highly advanced social engineering skills for producing a believable message that also contains legitimate links. This way attacker enhances the message’s reliability. In this particular phishing, lure cyber criminals have created an email that seems to be genuine communication from the Internal Revenue Service (IRS).
Here is a screenshot of the scam email sent to users:
Here is an excerpt from the fake email that is being sent to users in the US:
“Additional information regarding tax refunds can be found on our website: http://www.irs.gov/Refunds [legitimate URL]. Please note that IRS will never ask you to disclose personal or payment information in an email.”
The advice and the legitimate link both are devised to enhance the user’s confidence in the email’s validity.
Cyber criminals using compromised server in China:
This malicious campaign is designed to get ransomware installed on the victim’s computer through an infected email involving a compromised web server in China.
Kaspersky’s Dmitry Bestuzhev states that attackers conducted similar operation earlier in April. That campaign utilized a malicious script that was stored on an anonymous paste site called Pastebin.
In this particular case, cybercriminals have encoded a malicious script and chose a Chinese machine to host it. The machine contains the instructions for the final payload download.
Tracking user into enabling Macro in MS Office:
To initiate the attack, a genuine-looking email is sent to the victim informing about an important tax refund. There is a Word document attached, which apparently is a copy of the sanctioned tax return form. This Word file contains a macro that instantly connects to the remotely stored script. The script has the instructions along with the malware link to be downloaded.
Microsoft Office components by default have set Macros as disabling but the attackers have inserted gibberish text in Word document enabling the victim to enable Macros to read the text.
Kaspersky has identified this ransomware ad Trojan-Ransom.Win32.Foreign.mfbg. This campaign doesn’t encrypt the data on a computer but blocks the internet access and asks for ransom paid via prepaid cards like MoneyPak.
The victim is required to pass on the card’s code to an SMS number for paying the ransom and getting the computer’s function restored.