Security experts warn US taxpayers not to fall for a new phishing campaign that uses the IRS as a decoy to install the infamous Trojan Emotet on their machines.
Scammers have long used tax filing season as an opportunity to trick consumers, and the latest attempt discovered by Malwarebytes is no exception.
The phishing email in question has a subject line of “IRS Tax Forms W-9” and a spoofed sender address of “IRS Online Center”.
The short message in the body of the email is riddled with typos. The 709KB “W-9 form.zip” attachment contains a 548MB Word document titled “W-9 form.doc”.
Malwarebytes Malware Intelligence Analyst Chris Boyd points out that the size is suspicious.
“There are not many legitimate Word documents larger than 500MB. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background,” he explained.
“Malware authors artificially increase the size of documents in order to fool or defeat security tools. Because it may turn out to be too much.”
The crooks then try to persuade the recipient to enable macros and start downloading Emotet.
Emotet Details: Emotet Group Collects Over 4.3M Victim Emails.
“Emotet has been around since 2014. It was originally created as a banking Trojan, but later versions added malware delivery and spam services,” explains Boyd. “Mostly email he has been featured in spam campaigns, with a large focus on fake emails that help spread the infection, such as parcel shipments, invoices and other payment methods.”
Emotet was recently featured by Malwarebytes as one of the top 5 threats to businesses this year. Botnet infrastructure was severely disrupted by law enforcement in January 2021, but has since resurfaced and remains a popular tool for cybercriminals.
Boyd said U.S. taxpayers should apply early and beware of questionable refunds, fake banking portals and emails urging them to apply for refunds.
