Digital attackers are using a phishing campaign to target taxpayers located in the United States with the Amadey botnet. First detected by Cofense in mid-September 2019, the attack begins when a user receives an email purporting to originate from U.S. Internal Revenue Service (IRS).
The body of the email informs the recipient that they are eligible for a tax refund and that they can use a one-time username and password to claim their refund by clicking the “Login Right here” button and subsequently authenticating themselves. For those who comply and click the button, the campaign redirects them to a fake IRS login page hosted at hxxp://yosemitemanagement[.]com/fonts/page5/.
Cofense explained what happens next in its analysis of the attack:
Once the recipient is logged into the fake IRS portal they are informed that they have “1 pending refund” and asked to download a document, print and sign, then either mail it back or upload a copy to the portal. When the recipient clicks to download the document, a zip file called “document.zip” is presented, which contains a Visual Basic script [VBS] dropper.
Once executed, the obfuscated and encrypted VBS script decrypted itself and dropped “ZjOexiPr.exe” in C:\Users\Byte\AppData\Local\Temp\. This executable, in turn, installed “kntd.exe” in C:\ProgramData\0fa42aa593 and ran the main process for Amadey.
First detected by KrabsOnSecurity in early 2019, Amadey is a botnet which was available for sale on at least one Russian underground forum. A license for Amadey was just $600 at the time of KrabsOnSecurity’s analysis. Even so, researchers thought this amount was somewhat high, as they found Amadey to be a “very simplistic bot that is quite honestly poorly made.”
Amadey seized upon its execution in this latest attack campaign to establish persistence using Reg.exe. It then beaconed out to its command-and-control (C&C) channels using port 80 and began sending out system diagnostic information. This information included the version of Amadey used to infect the system along with the compromised host’s operating system and any anti-virus software installed on the machine. After sending over these and other pieces of data, the botnet waited for further instructions from its multiple C&C servers.
Not the First Off-Season Tax-Themed Scam
Digital fraudsters are known to target U.S. taxpayers during peak tax filing season, or usually the first few months of the year. But as the IRS notes in every release of its annual “Dirty Dozen” scam list, these attacks can and do occur year-round.
In June 2019, for instance, the Michigan Department of Treasury warned taxpayers to be on the lookout for letters that purported to originate from the IRS. Those pieces of correspondence masqueraded as overdue tax bills that attempted to scare recipients into thinking the IRS was going to seize their property, bank accounts and income. Some of those letters even referenced recipients’ actual outstanding debts by using information that was publicly available on the web.
According to the Detroit Free Press, these fake letters’ mission was to trick taxpayers into calling a toll-free number and making a payment to what they thought was the IRS. It was about a month later when CNN reviewed data provided by the Federal Trade Commission (FTC) and found that scams impersonating government entities including the IRS had reached an all-time high. Over the first half of 2019, the FTC received 209,000 reports from consumers, reported CNN. That’s nearly the same amount that consumers sent to the FTC for all of 2018.
How to Defend Against a Tax-Themed Scam
Security professionals can defend against tax-themed scams by strengthening their organization’s email security. They can do so by investing in a solution that analyzes incoming emails for suspicious indicators based upon their URLs, IP address and other facets. It should conduct these evaluations in real time while allowing legitimate emails to make their way through.
Learn how ZixProtect can help keep your organization safe against tax-themed scams.