U.S. Taxpayers Targeted by Phishing Emails Delivering the Amadey Botnet
Digital attackers are using a phishing campaign to target taxpayers located in the United States with the Amadey botnet. First detected by Cofense in mid-September 2019, the attack begins when a user receives an email purporting to originate from U.S. Internal Revenue Service (IRS).
The body of the email informs the recipient that they are eligible for a tax refund and that they can use a one-time username and password to claim their refund by clicking the 鈥淟ogin Right here鈥 button and subsequently authenticating themselves. For those who comply and click the button, the campaign redirects them to a fake IRS login page hosted at hxxp://yosemitemanagement[.]com/fonts/page5/.
聽explained what happens next in its analysis of the attack:
Once the recipient is logged into the fake IRS portal they are informed that they have 鈥1 pending refund鈥 and asked to download a document, print and sign, then either mail it back or upload a copy to the portal. When the recipient clicks to download the document, a zip file called 鈥渄ocument.zip鈥 is presented, which contains a Visual Basic script [VBS] dropper.
Once executed, the obfuscated and encrypted VBS script decrypted itself and dropped 鈥淶jOexiPr.exe鈥 in C:\Users\Byte\AppData\Local\Temp\. This executable, in turn, installed 鈥渒ntd.exe鈥 in C:\ProgramData\0fa42aa593 and ran the main process for Amadey.
First detected by聽聽in early 2019, Amadey is a botnet which was available for sale on at least one Russian underground forum. A license for Amadey was just $600 at the time of KrabsOnSecurity鈥檚 analysis. Even so, researchers thought this amount was somewhat high, as they found Amadey to be a 鈥渧ery simplistic bot that is quite honestly poorly made.鈥
Amadey seized upon its execution in this latest attack campaign to establish persistence using Reg.exe. It then beaconed out to its command-and-control (C&C) channels using port 80 and began sending out system diagnostic information. This information included the version of Amadey used to infect the system along with the compromised host鈥檚 operating system and any anti-virus software installed on the machine. After sending over these and other pieces of data, the botnet waited for further instructions from its multiple C&C servers.
Not the First Off-Season Tax-Themed Scam
Digital fraudsters are known to target U.S. taxpayers during peak tax filing season, or usually the first few months of the year. But as the IRS notes in every release of its annual 鈥溾 scam list, these attacks can and do occur year-round.
In June 2019, for instance, the Michigan Department of Treasury warned taxpayers to be on the lookout for letters that purported to originate from the IRS. Those pieces of correspondence masqueraded as overdue tax bills that attempted to scare recipients into thinking the IRS was going to seize their property, bank accounts and income. Some of those letters even referenced recipients鈥 actual outstanding debts by using information that was publicly available on the web.
According to the聽, these fake letters鈥 mission was to trick taxpayers into calling a toll-free number and making a payment to what they thought was the IRS. It was about a month later when聽聽reviewed data provided by the Federal Trade Commission (FTC) and found that scams impersonating government entities including the IRS had reached an all-time high. Over the first half of 2019, the FTC received 209,000 reports from consumers, reported CNN. That鈥檚 nearly the same amount that consumers sent to the FTC for all of 2018.
How to Defend Against a Tax-Themed Scam
Security professionals can defend against tax-themed scams by strengthening their organization鈥檚 email security. They can do so by investing in a solution that analyzes incoming emails for suspicious indicators based upon their URLs, IP address and other facets. It should conduct these evaluations in real time while allowing legitimate emails to make their way through.
.