4 min read

Malspam Duet: Tax Season Phishing Campaigns Deliver LokiPWS and Emotet Malware

Alina BÎZGĂ

March 30, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Malspam Duet: Tax Season Phishing Campaigns Deliver LokiPWS and Emotet Malware

Every year during tax season, throngs of threat actors and scammers try to defraud the unwary by compromising their devices and data via phishing emails mimicking official tax-related correspondence.

According to researchers at Bitdefender Labs, malicious actors have been busy in the past week pursuing taxpayers across the globe in targeted malicious spam campaigns delivering two infamous credentials-stealing Trojans: LokiPWS and Emotet.

Campaign 1: Unpaid VAT and Loki password stealer

LokiPWS is a Trojan mainly targeting Windows and Android devices to steal sensitive information including usernames and passwords, cryptocurrency wallet data, and other credentials. Like many information-stealers, LokiPWS lets attackers steal sensitive data from infected machines leading to severe privacy issues and financial damage for its victims.

The first malspam campaign delivering LokiPWS was spotted on March 14. 93% of the malicious emails originate from IP addresses in the US.

The attacks spread to Europe and Asia, with 27% of the malicious emails landing in inboxes in the Czech Republic. South Korea received 15% of the malicious emails, followed by Ireland with 13%, India with 10%, the UK with 5%, and Romania, Hungary and Greece, with 3% each. Additionally, 2% of the malicious emails ended up in inboxes in the Ukraine and Germany.

The message, which purport to come from the Domestic Tax Department, ask recipients to look at an attachment “Obligation Value Added Tax.rar” for more details about their unpaid VAT.

A second attempt at delivering LokiPSW was flagged by our researchers on March 18.  Once again, 90% of the malicious emails were sent from IP addresses in the US. The threat actors focused on Ireland, which received 23% of the spam rate by volume, and India with 16%, the UK and Netherlands with 7% each, and the US with 5%, followed by Denmark and Germany, with 4% each.

The attackers updated the email body to include the tax period and larger VAT amount, and have renamed the attachment to “payment defaulter&VAT1.rar.”

Campaign 2: Emotet strikes ahead of tax filing deadline in the US

Since its appearance in 2014, the notorious banking Trojan Emotet has wreaked havoc across the globe, becoming a renowned malware-as-a-service (MaaS) provider used to distribute third-party malicious payloads onto infected devices.

On March 18, Emotet operators began sending thousands of malicious emails impersonating the Internal Revenue Service to American users. The first batch of phishing emails sent from IP addresses in Japan (37%) and Mexico (23%) mainly targeted the US, which received 89% of the entire volume of malicious correspondence. 6% also ended up in UK inboxes.

The attackers use a W-9 tax form (.zip attachment) as bait to infect unwary recipients and keep the email body plain and simple, adding a look of legitimacy to the correspondence by including the IRS logo and contact information.

A second attempt at compromising users was noticed the same day. The same attackers used a variation of the initial phishing emails, updating the attachment to a K-1 IRS form.

How to protect against tax-season scams and malicious phishing

With nearly a month until the April tax season deadline in the US, taxpayers should expect increased malicious activity and prepare accordingly.

While all Bitdefender customers benefit from real-time detection against LokiPSW and Emotet, we urge users to closely inspect any IRS-related correspondence they receive via email, text or direct messages on social media platforms.

In addition to a dedicated security solution to fend off phishing and malware, proper cyber hygiene is crucial to avoid falling victim to fraudsters and tax-related schemes:

  • Never respond to unsolicited correspondence posing as legitimate IRS notifications
  • Don’t provide banking information, PIN codes or passwords
  • Check for spelling and grammar mistakes
  • Don’t open attachments or click on embedded links
  • Always use complex and unique passwords for all your accounts, and enable two-factor authentication where possible

With Bitdefender Total Security and XEDR, users and businesses enjoy the best anti-malware protection, threat detection and response against e-threats across all major operating systems. The real-time protection feature included in our security software protects against new and existing e-threats, including viruses, worms, Trojans, ransomware, zero-day exploits and spyware, keeping you and your data safe.

Note: This article is based on technical information courtesy of Bitdefender Labs

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FIFA World Cup 2022: Scammers phish for personal data and Microsoft login credentials, Bitdefender Antispam Lab warns FIFA World Cup 2022: Scammers phish for personal data and Microsoft login credentials, Bitdefender Antispam Lab warns
Alina BÎZGĂ

November 23, 2022

3 min read
Crypto Users Beware: Scammers impersonate Binance in QR code phishing email scam spotted by Bitdefender Antispam Lab Crypto Users Beware: Scammers impersonate Binance in QR code phishing email scam spotted by Bitdefender Antispam Lab
Alina BÎZGĂ

November 18, 2022

3 min read
Cybercrooks Leverage Death of Queen Elizabeth II to Steal Users’ Microsoft Credentials Cybercrooks Leverage Death of Queen Elizabeth II to Steal Users’ Microsoft Credentials
Alina BÎZGĂ

September 15, 2022

2 min read