Cyber criminals are using the US tax deadline to score a payday

Microsoft researchers discover ‘quishing’ and url-shortner attacks to cloak malicious links in the IRS’ clothing

Woman filing tax returns on a laptop device while sitting at a desk in a home office.
(Image credit: Getty Images)

Tax Day will be on the minds of millions of Americans as the deadline to submit their taxes on 15 April looms on the horizon, and it’s not just a hefty bill or error in paperwork that could cause problems.

Cyber criminals are using tax season as an opportunity to trick individuals and businesses into handing over sensitive information.

Microsoft Security said its specialists have found several phishing campaigns that deliver malware all operating under the cover of letters from the United States Internal Revenue Service (IRS).

In particular, the researchers noted that the attackers were using link shorteners and malicious QR codes (a technique sometimes known as ‘quishing’) to further mask their trail.

"These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection,” they said in a blog post.

With the link shortener campaign, researchers observed malicious links masquerading as DocuSign, a legitimate company used by many businesses that allows their clients to sign documents virtually, rather than on paper with a pen.

In this campaign, which has linked to malware gang Storm-0249, PDFs were attached to a phishing email crafted to look like it has come from the IRS containing links that, following a couple of redirects, lead to a bogus DocuSign page.

“When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor,” the researchers explained.

“If access was permitted, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.

“If access was restricted, the user received a benign PDF file from royalegroupnyc[.]com. This served as a decoy to evade detection by security systems.”

The campaign using QR codes also sported email subjects linked to the tax deadline such as "EMPLOYEE TAX REFUND REPORT” and “Adjustment Review Employee Compensation”. However, while it uses the same hook it behaves quite differently.

While the body of the email would be empty, if the target opened the attached PDF they would be greeted with a short message including an instruction to share a QR code.

If they followed this instruction, they would be led to a page that mimics a Microsoft 365 sign-in page, which could then steal their login credentials.

Remain vigilant

Commenting on the report, Jamie Akhtar, CEO and co-founder of CyberSmart, said while quishing is by no means a new technique employed by hackers, the level of sophistication in this recent campaign is a serious cause for concern.

"Almost as long as the technology has existed, cyber criminals have found ways to weaponize it," he said. "However, what is new is the sophistication of this scam.”

He added that, looking at Microsoft’s reports, the campaign is “clearly working” and both businesses and users in general should exercise extra caution.

“Our advice is to be very careful if you receive an email purporting to be from Microsoft claiming your password needs to be reset, especially if it contains a QR code," Akhtar added.

"Check the sender, ask yourself whether this looks or sounds like an email Microsoft would usually send. If in doubt, reach out to Microsoft support to confirm whether it's legitimate."

For its part, among several other recommendations Microsoft says organizations should ensure users are thoroughly educated about data protection processes and how to detect bogus URLs.

The company also recommends turning on two-factor authentication (2FA) and configure security software to block malicious artifacts and recheck links on click to ensure they’re genuine.

MORE FROM ITPRO

Jane McCallion
Managing Editor

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.