Benjamin Franklin once wrote, “The only two certainties in life are death and taxes”. With the annual US Tax Day approaching on Tuesday, April 18, we can add a third sure thing to the list: Internet scams. This week, Microsoft’s security division issued an alert on a new phishing scam targeting accounting and tax return firms ahead of Tax Day.
Microsoft’s blog post says the company noticed new scams in February. They are being sent by hackers who hope they can deliver the Ramkos Remote Access Trojan to PCs. Remcos is designed to break into Windows PCs and gain administrator privileges remotely. Microsoft says:
While such social engineering lures are common around Tax Day and other big topic current events, these campaigns are specific and targeted in a way that is unusual. Targets of this threat are particularly organizations that deal with tax preparation, financial services, CPA and accounting firms, and bookkeeping and tax professional service firms.
Naturally, these types of firms get very busy at this time of year before Tax Day with clients emailing them information about their tax and financial information. Microsoft says the phishing campaign sent emails that appeared to come from a client of an accounting or tax firm. They contain a link to a real file-sharing service, which contains a real Amazon Web Services click-tracking link.
Unfortunately, anyone who clicks on that link will then be taken to a file sharing site, where the hacker has placed the Windows Shortcut (.LNK) files. Microsoft says:
These LNK files generate web requests to actor-controlled domains and/or IP addresses to download malicious files. These malicious files then execute actions on the target device and download the Remcos payload, giving the actor potential access to the target device and network.
The good news for Windows PC users working in these financial firms is that Microsoft 365 Defender and Microsoft Defender Antivirus can detect these malicious files and prevent remote takeovers of their PCs. . Of course, these users should always be suspicious of any email with links to file-sharing sites, especially from clients they don’t know.
