Browser-Based Threat Report: The Tax Day Tangle – Cybercriminals’ Taking Advantage of Stressful Season to Deliver Malware

As the April 18 tax deadline approaches in the United States, accountants and finance professionals are under immense pressure to file tax returns for their clients. Unfortunately, cybercriminals have been taking advantage of this time-sensitive and stressful period to launch a targeted phishing campaign with the goal of gaining unauthorized access to sensitive personal information. According to research done by Microsoft and covered in a recent DarkReading report, cybercriminals are utilizing well-crafted phishing emails and multiple URL redirections to bypass traditional security measures. 

The attacks begin with a carefully crafted phishing email sent to Certified Public Accountants (CPAs), accounting firms, and related companies handling tax information. In these emails, the attackers masquerade as existing clients, using subtle social engineering techniques to appear more legitimate. For example, some emails include lines like “I apologize for not responding sooner” and the subject line “Re: 2022,” implying an ongoing correspondence. The inclusion of a password-protected link labeled as “confidential” adds an air of security to the message, making it more believable.  

To evade detection by traditional cybersecurity tools, the phishing email contained a link that redirected the recipient through multiple legitimate services. The first redirection leads to an Amazon Web Services click-tracking service, followed by redirection to an ordinary file-hosting site. These layers of redirection serve to evade potential anti-malware detection. Ultimately, the link leads to a .ZIP file containing malicious files designed to trigger the download of the Remcos remote access Trojan (RAT), a malware capable of granting attackers the same level of privileges over the victim’s computer as the victim. 

Obviously, the timing of this attack is no coincidence. Cybercriminals strategically initiated the campaign in February, coinciding with the busiest time of year for accountants and finance professionals. They recognized that professionals working long hours and responding to numerous emails late at night might be more susceptible to making mistakes or clicking on malicious links.  

Fortunately, Conceal’s secure browser extension, ConcealBrowse, can play a vital role in protecting users. ConcealBrowse acts as a proactive security layer, making real-time decisions about the security risk associated with internet use and automatically isolating risky transactions without interrupting the user. It opens risky sites in an isolated environment, ensuring that no malicious code or files are ever executed on the user’s device. Multiple browser redirect strategies like the one implemented in this attack cannot evade detection by ConcealBrowse, as every URL loaded into the browser is checked in real-time. So, even if the first malicious URL is the third in a series of redirects, ConcealBrowse will identify the URL as malicious and take appropriate action. 

The Remcos RAT phishing campaign serves as yet another reminder of the evolving tactics used by cybercriminals to exploit vulnerabilities in human behavior. With the use of social engineering and multiple URL redirections, attackers can bypass traditional security measures. However, ConcealBrowse can provide a robust extra layer of defense against such attacks. As Tax Day approaches, we urge individuals and organizations to exercise caution and utilize tools like ConcealBrowse to mitigate the risk of falling victim to cyber-attacks. Click here to sign up for a live demo of ConcealBrowse and see how it can help protect your organization today.