It's tax season, and cybercriminals are busy developing schemes to steal as many identities, funds, and tax returns as possible. Typically, they rely on spam campaigns to distribute the infamous TrickBot banking Trojan to individuals and businesses alike. This year makes no exception as researchers at IBM's X-Force unit have detected as many as three major spam campaigns currently delivering TrickBot to taxpayers. Each campaign sends spam email messages on behalf of a reputable company operating in the financial, HR, or accounting sector.
First Spam Wave Hit in Late-January
The first massive campaign appeared on the radar around Jan. 27 when hackers started sending out forwarded suspicious emails on behalf of a famous accounting company. The emails all shared the same subject line – FW: 2018 EF Tax Incentive Billing – and prompted recipients to click on an attached Excel document of the same name. Instead of disclosing actual tax incentive data when opened, however, the embedded file would trigger a TrickBot infection via the malicious macros contained therein. The signature of each email was detailed enough to look 100 legitimate.
This Week in Malware Ep1: The Triple Threat Campaigns of Emotet, Trickbot & Ryuk Ransomware
Second Spam Wave Took Advantage of ADP HR Service Provider
The spam campaign spreading the TrickBot banking Trojan targeted clients of ADP, a large HR service provider, according to an official alert published by the company's officials. As it is, the malware actors used fake ADP email accounts to trick recipients into clicking on a malware-ridden URL supposedly containing important information about their tax billing records. Those fake accounts have:
- An identical name pattern - <[Employee Name] firstname.lastname@example.org>
- A uniform email subject, namely ‘FW: CASE #90ADP28TEFT – tax billing records'
- An invariable malicious link – ‘90ADP0304TEFT.xlsm'
ADP has already addressed the problem, urging customers to forward such incoming messages to a dedicated fraud prevention email for analysis.
Third Spam Wave Exploited Paychex's Name
The third prominent spam campaign commenced in early-March when customers of the renowned Paychex payroll payments provider started receiving email replies to inquiries they had not sent in the first place. Titled ‘RE: Tax Verification documents', the email served to provide the recipient with an attached file containing data the latter had previously requested. While the attachment looked like a legitimate Word document as it was called ‘Verification_Documents.doc', opening it would install the TrickBot Trojan not only onto the targeted PC but also on any other network connected machines.
TrickBot Attacks Are Getting More Elaborate
Unlike previous malware distribution campaigns, the three malicious operations mentioned above look as legitimate as possible. Albeit fake, the emails carrying the TrickBot banking Trojan look as if they were coming from real companies with real registered domains and actual employees. In other words, it is evident that the malware actors in charge have mastered the spear phishing technique. What is more, since all of the three campaigns shared a similar layout, it would be hardly surprising if they came from the same group of cybercriminals.