As Tax Season Looms, CPA Firms Targeted with Advanced Malware


Thought Leadership

As Tax Season Looms, CPA Firms Targeted with Advanced Malware

Troy Gill

As the 2018 tax season gets underway, we want to make sure everyone is aware of the many dangers we see surrounding this event each year.

In fact, curiosity and uncertainty surrounding recent tax law changes may leave many individuals more susceptible to falling victim to one of the many tax-themed attacks that we typically see this time of year. This past week we already have seen a bevy of attacks looking to capitalize on the tax season. These attacks come in many forms and aim to harvest user’s credentials, scam funds directly and infect individuals and corporate networks.

Let’s look at a few of the attacks we currently are monitoring.

CPA firms target of tax season scams

One malware campaign that we have been tracking is specifically targeting CPA firms and attempts to infect them with the Adwind RAT. The emails are somewhat vague and come with an infected archive that contains the Java-based infection.

The attachment “W2[dot]zip” contains the Remote Access Trojan (RAT) known as Adwind.

This malware’s prevalence skyrocketed in 2017 and has been widely distributed since. The Adwind is particularly threatening in that it can infect cross-platform. Adwind is a Java-based Trojan that is capable of infecting not only Windows OS but also Linux, Mac and Android. Once the infection has taken place, it can harvest and exfiltrate many forms of data from the victim. This, of course, could pose a great risk to the CPA firms being targeted since they handle private financial information with regularity. We also have seen some payload variation with this attack as some have been utilizing malicious URL’s embedded in PDF files.

More attacks ongoing

Another attack takes aim at users of online tax service provider Taxslayer. These messages also are serving up malware with a malicious URL in the body of the message. These attacks are posing as privacy and security updates, which is a very common technique used to dupe end-users.

This attack is a great example of things to come for the email masses over the next several months.

Messages like this one utilizing company official graphics, spoofed senders, security updates, etc... are sent by the millions and could APPEAR to come from a company or agency that are very familiar.

TIPS When it comes to protecting yourself this tax season, remember the following: Reputable companies and/or tax agencies such as TaxSlayer, TurboTax, etc. will never send attachments in unsolicited email. If you get any notifications that require action on your end, reach out to the entity directly (not by email reply) for details. Be skeptical of any unsolicited emails or phone calls requesting personal information from you. For more tips to stay safe this tax season, check out these tips from The National Cybersecurity Society: How to protect your company during tax season