IRS Phishing Emails Used to Distribute Emotet

Written by

Security experts have warned US taxpayers not to fall for a new phishing campaign using the IRS as a lure to install notorious Trojan Emotet on their machines.

Scammers have long used tax filing season as an opportunity to trick consumers, and the latest attempt spotted by Malwarebytes is no different.

The phishing emails in question contain the subject “IRS Tax Forms W-9” and a spoofed sender address of “IRS Online Center.”

The short message contained in the body of the email is riddled with typos. A 709KB “W-9” attachment contains a 548MB Word doc titled “W-9 form.doc.”

Malwarebytes malware intelligence analyst, Chris Boyd, said the size marks it out as suspicious.

“You won’t find many genuine Word documents weighing in at 500MB or more. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background,” he explained.

“Malware authors are artificially pumping up the size of the document in order to try and fool or break security tools. This is because the large file size may prove too difficult for the tools to get a handle on and properly analyze.”

The scammers will then try to persuade the recipient to enable Macros to initiate the Emotet download.

Read more about Emotet: Emotet Group Harvested Over 4.3 Million Victim Emails.

“Emotet has been around since 2014. Originally created as a banking Trojan, later versions added malware delivery and spam services,” Boyd explained. “Mostly featuring in email spam campaigns, a big focus of fake mails helping to deliver the infection include subjects like parcel shipping, invoices and other forms of payment.”

Emotet was recently highlighted by Malwarebytes as one of the top five biggest threats to businesses this year. Despite the botnet’s infrastructure being severely disrupted by law enforcement in January 2021, it subsequently resurfaced and remains a popular tool for cyber-criminals.

Boyd said US taxpayers should file early and beware of suspicious refunds, fake banking portals and emails pressuring them into filing refunds.

What’s hot on Infosecurity Magazine?