Connect with us

Cyber Security

Cybercriminals deliver IRS tax scams and phishing campaigns by mimicking government vendors

Published

on

ne of the involved hosts have previously been ‘blacklisted’ nor have they had any signs of negative IP or abnormal domain reputation:

Domain reputation

The HTML attachment with the fake IRS invoice contains JS-based obfuscated code.

IRS tax scams government

Further analysis uncovered embedded scenarios detecting the victim’s IP (using GEO2IP module, deployed on a third-party WEB-site), likely done to selectively choose targets or to filter by region.

GEO2IP

After the user opens the HTML attachment, the phishing script will encourage the user to enter his credentials, this is done by leveraging an interactive form to impersonate the Office 365 authorization mechanism.

IRS tax scams government

Once the user enters their credentials, the phishing-kit automatically attempts to check access to the victim’s e-mail account via IMAP protocol:

Check access

Based on the de-obfuscated JS content the actors were leveraging “supportmicrohere[.]com” domain. Likely, the threat actors attempted to impersonate Microsoft Technical Support and trick user by using the domain with similar spelling.

Impersonate Microsoft Technical Support

The script intercepts entered credentials and pass them via POST request:

Intercepting entered credentials

HTTP POST transmits login and password to script deployed on jbdelmarket[.]com:

IRS tax scams government

The domain jbdelmarket[.]com is hosting a set of scripts to analyze victim’s IP:

Analyze victim’s IP

The actors log all hosts accessing the phishing page:

IRS tax scams government

Notably, the header of the phishing e-mail contains several domain names with SPF records and DKIM:

SPF records and DKIM

Additionally, the attackers leveraged e-mail header fields including X-accountcode (“USIRS”), X-Destination-ID and X-ReportingKey (hellenanichols@hotmail[.]com).

Attackers leveraged e-mail header fields

The phishing e-mail also had a Return-Path field defined as another e-mail controlled by the attackers which collects information about unsuccessfully delivered e-mails. The Return-Path is used to process bounces from emails, and it defines how and where bounced emails will be processed.

IOC:

  • crownedbydivinity[.]com
  • jbdelmarket[.]com
  • supportmicrohere[.]com
  • hellenanichols@hotmail[.]com
  • a9fc34f544eccacf9641f141a830aac9

Sample

The Resecurity HUNTER team shared information about the identified phishing campaign with the Internal Revenue Service (IRS), Online Fraud Detection and Prevention (OFDP), and the Treasury Inspector General for Tax Administration (TIGTA) Hotline. We encourage Internet customers to be especially careful when receiving such e-mails and to validate them first without opening attachments, as it may compromise your digital identity and/or email, and lead to a data theft.

For independent security researchers and cybersecurity community we share a sample of the phishing e-mail caught by our cyber threat intelligence system for further review to increase detection of similar campaigns in future.

Source: https://www.helpnetsecurity.com/2022/04/28/irs-tax-scams-phishing-mimicking-government-vendors/

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO