Self-Spreading Malware Posing as IRS at height of Tax Season

Self-Spreading Malware Posing as IRS at height of Tax Season
<span class="bsf-rt-reading-time"><span class="bsf-rt-display-label" prefix="Reading Time"></span> <span class="bsf-rt-display-time" reading_time="2"></span> <span class="bsf-rt-display-postfix" postfix="mins"></span></span><!-- .bsf-rt-reading-time -->

An ongoing phishing campaign has been arriving in victims' inboxes posing as Internal Revenue Service (IRS) containing Microsoft OneNote files that are supposedly W-9 tax forms. Once opened, a hidden script allows for malware known as Emotet to self-install itself on your system and spread.

The malware in question, Emotet, logs Internet traffic, specifically going after banking details entered in-browser. However, this is not all it does. Emotet is one of the most notorious new pieces of malware affecting business networks today.

This latest brand comes at the height of tax season, looking to trick victims into thinking they received important tax information. Because filers need to take imminent action on most tax forms, the chances of the user opening the document increases.

Once opened, Microsoft may warn the user that the file might contain malware. It is important to take these warnings seriously, as this is a make-or-break moment in whether the attack is successful. Some users may think of this as just another pop-up, and disregard the warning. Keep in mind that most of the time, these forms come in PDF format, and not the OneNote format, signified with the ".one" extension.

If the document is successfully opened, the system's infection won't be obvious at first. Next, it spreads in three different ways:

  • Posing as you, it sends itself to your address book contacts.
  • It finds software exploits and reaches other computers on your network, starting the same process there as well.
  • Compromises user accounts through brute force attacks.

Emotet self-updates and is able to work like a chameleon when security patches come in.

Don't put yourself, your business, and your contacts in danger this tax season. Always verify the sender by contacting them through another method directly.