Tax season in the U.S. can be a frenetic period during which many Americans race to collect documents and deliver necessary filings to the Internal Revenue Service (IRS). The run-up to the IRS’ annual April 15 deadline is also a busy time for threat actors and cybercriminals, who capitalize on the urgency and pressure that accompany the rush to file on time. This year is no different, with at least one leading malware developer unleashing tax-related phishing campaigns and the U.S. Federal Bureau of Investigations (FBI) issuing a warning about an unrelated threat that leverages the same type of tax documents used in the phishing campaign.
With regard to phishing attacks, a well-known malware was recently spotted mounting a new campaign targeting U.S. tax-filers with fake W-9 forms. In one version of the phishing campaign, threat actors sent emails with the subject “IRS Tax Forms W-9,” impersonating an “inspector” from the service. These emails carry a ZIP archive named “W-9 form.zip” that contains a 500MB weaponized Microsoft Word document whose size makes it harder to detect as malicious by security software.
Another version of the W-9 phishing campaign uses emails that appear to originate from companies for whom recipients perform contract work. This version overcomes Microsoft’s recent attempt to thwart phishing campaigns with default blocking of macros, a vector previously used to infect victims with malicious Word documents. To contend with this fix, the malware uses reply-chain emails with Microsoft OneNote documents that contain embedded malware installing VBScript files. The OneNote attachments claim to be protected, requiring users to double-click “view” so that the documents display correctly.
The view button actually launches a VBScript document that downloads the malware, which runs in the background, harvesting data such as contacts and email content, and awaiting the installation of malware payloads on the system. While a OneNote warning alerts users to incoming file’s potentially malicious nature, users frequently disregard such warnings.
Despite the generally convincing characteristics of both recent phishing approaches, the attack vectors raise red flags for several reasons, explained security researchers. First, legitimate W-9s are sent as PDF documents or as hard copies in the mail. They are not sent as Word or OneNote files. This means recipients should not open or and enable macros in purported W-9 attachments from clients or the IRS that are in formats other than PDFs.
Malware operators perpetrated similar schemes last tax season, impersonating the IRS in March 2022 by sending emails that appeared to contain official documents related to federal returns. Around that time, security researchers observed a ten-fold increase in infection with this malware from February to March 2022, jumping from 3,000 monthly emails to 30,000 monthly emails attempting to deliver malicious payloads on victims’ devices. This spike in activity led to the malware’s ranking as one of the top cyberthreats in March 2022.
According to the FBI, this is not the only threat targeting U.S. filers this tax season, with the agency issuing a warning on March 24, 2023 related to business email compromise (BEC) for theft and fraud. Similar to phishing attacks designed to deliver malware, BEC targets victims using social engineering to gain the trust of decision makers who can send funds, deliver goods, release information, or perform some other function that benefits attackers.
The FBI warned in its alert that criminals are providing fraudulent W-9 forms and fake credit references to vendors while impersonating legitimate U.S.-based companies using spoofed email domain addresses that display names of actual employees. Vendors who receive these emails believe they are conducting transactions and fulfilling legitimate purchase orders. Threat actors use the W-9s to acquire credit repayment terms (Net-30/Net-60) for additional purchase orders, without providing deposits. Victims discovered the fraudulent BEC campaigns when they contacted companies that had been impersonated.
Among the goods that criminals acquired using the BEC scheme were construction materials, agricultural supplies, computer hardware, and solar energy products. The FBI provided examples of spoofed emails and recommended that vendors verify the source of emails by (1) calling business’ main phone lines (not numbers listed in emails), (2) checking email domain addresses for misspellings/typos, and (3) refraining from clicking links in emails and typing in URLs/domains manually.
According to the activity observed by the Cybersixgill Investigative Portal, fraudulent IRS forms, including W-9s, remain popular items on the cybercriminal underground. In addition, Cybersixgill also observed chatter related to the aforementioned malware that indicates its enduring popularity among threat actors.
The following screenshot displays a post on a popular cybercriminal forum that specializes in hacking and carding topics. The message is an advertisement from a highly active member offering W-9 forms, in addition to a variety of other fraudulent documents. These documents include other tax forms (1099, W-2, etc.), passports, bank statements, utility bills, and credit card statements.
Threat actors can use these documents in phishing schemes and BEC scams to try to convince victims to send funds, provide information, or take other steps from which threat actors can profit. The forum member added this claim in the ad, “We can draw almost any document you need. We have an extensive list of available documents, but if you did not find the one you need, then you can write to our support and we will try to help you.”
Figure 1: An advertisement for fraudulent IRS W-9 Forms
In addition, Cybersixgill’s collection mechanisms identified an advertisement referencing the aforementioned malware on an English-language underground forum that specializes in cracking and hacking methods. In the post, a forum member advertises malware that spoofs extensions so that threat actors can present malware-containing items as legitimate files.
The threat actor referenced Microsoft’s steps to block malware via defaults for macros, referring to macros as “dead.” The forum member then touted the advertised malware as “the best method to deliver malicious code (apart from expensive 0-days).” As an apparent selling point, the forum member claimed “APT groups and botnets like [the aforementioned W-9 spoofing malware]” are using the advertised malware.
In the past, researchers linked the advertised malware to a prominent North Korean-based threat actor due to source code overlaps and the use of .LNK files to deliver payloads later in the attack chain. While the forum member did not specifically reference the North Korea-based group, their contention that APTs have used the advertised malware may be a reference to North Korean threat actors.
Figure 2: A forum member advertises malware
Threat actors are again exploiting the U.S. tax season to trick victims into taking adverse actions. While some hackers capitalize on the urgency surrounding this time of the year to deliver malware with phishing attacks and fake IRS forms, other threat actors are launching BEC campaigns to steal funds and products from victims.
Both attack vectors rely on sophisticated social engineering techniques, malicious email campaigns, and pirated W-9 forms, among other documents, to create the appearance of legitimate correspondence that requires recipients to take specific actions. As the intelligence items collected by the Cybersixgill Investigative Portal evidence, the tools for phishing campaigns that leverage fake IRS forms are readily available on the underground.
Due to phishing attacks and the BEC campaigns described in the FBI’s March 24 alert, it is recommended that all organizations strengthen internal awareness among staff and implement necessary security training so that teams are educated to block the threat of phishing attacks and BEC campaigns. This involves both diligence on the part of personnel who receive suspicious emails from unknown senders, and deployment of email gateways that detect and filter malicious emails before they become actual threats.