Cybercriminals Exploit Tax Season: Stay Alert to Scams

AHKBot, BruteRatel C4, GULoader, Install Patches, malicious emails, malicious sites, Ophtek, Phishing Email, Tax Scams, Update Software, , , , , , , ,
10
Apr 2025

Cybercriminals are exploiting the urgency of tax season to launch phishing scams aimed at stealing personal and financial data.

Once again, the tax filing deadline is fast approaching for Americans and cybercriminals are preparing to take advantage of this seasonal chaos. Microsoft has recently issued a warning about a surge in tax-themed phishing campaigns targeting both individuals and businesses. These scams are designed to look convincing – often replicating official communications from the IRS or trusted tax companies– and are very successful at tricking people into revealing sensitive data or installing malware.

Luckily, Ophtek has your back and we’re here to give you some advice on how you can stay safe.

Understanding Tax-Related Phishing Scams

At the core of these scams are phishing emails which use urgency and fear to catch victims off guard and cause them to commit an action. The emails may, for example, claim there’s a problem with your tax filing, warn of an audit, or promise that a tax refund is due. These emails often contain subject names such as “EMPLOYEE TAX REFUND REPORT” or “Tax Strategy Update Campaign Goals” which, once opened, can install malicious software.

Typically, the emails also contain PDF attachments – with names such as lrs_Verification_Form_1773.pdf – which are used to redirect users to malicious website containing malware. In certain cases, the emails also include links or QR codes that redirect users to fake websites made to resemble genuine tax portals. The goal is simple: get users to enter their personal or financial details or download malware.

But not all of these phishing emails are easily identifiable as threatening or suspicious. Some start with relatively harmless messages to build trust. Once the target feels comfortable, follow-up emails are used to introduce more dangerous content. This makes it more likely the user will activate a malicious payload compared to an email received out of the blue. A wide range of malware has been observed in these attacks with GuLoader, AHKBot, and BruteRatel C4 just a few of those involved.

Protect Your Finances and Your Tax Returns

The financial and personal impact of these attacks can be significant for victims. As well as the potential financial loss, those affected often face further headaches in the form of frozen credit, blacklisting, and stolen tax refunds. For businesses, the consequences can extend to data breaches, costly compliance violations, and significant downtime. Accordingly, you need to tread carefully during tax season and make sure you follow these best practices:

  • Verify Email Authenticity: It’s crucial that you check the authenticity of all emails you receive, especially those which call for an urgent action to be performed. Always check the email address of emails received and make sure they’re not using an unusual domain spelling e.g. I-R-S@tax0ffice.com
  • Be Careful of Attachments and Links: Never open attachments from unknown sources as these could easily contain malware. Likewise, be careful when dealing with links – hover your mouse cursor over any suspicious links to reveal the genuine destination and Google the true URLs to identify any potential threat.
  • Keep Your Software Updated: Finally, make sure that your software is always up-to-date and has the latest security patches installed. This can strengthen your cyber defenses and make it much harder for threat actors to take advantage of software vulnerabilities.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Taiwan Businesses Targeted by Winos 4.0 Malware

malicious emails, National Taxation Bureau, Ophtek, Phishing, Silver Fox, Taiwan, Win 4.0, , , , , , ,
01
Apr 2025

A recent cyberattack has targeted Taiwanese companies using phishing emails which appear to be from Taiwan’s National Taxation Bureau.

In this attack, cybercriminals sent phishing emails to businesses in Taiwan, pretending to be officials from the National Taxation Bureau. These emails contained malicious attachments designed to infect victims’ computers with malware. The threat actors’ aim was to steal sensitive information and gain unauthorized access to IT infrastructures, enabling the attackers to have easy access to secure data.

How Did the Winos Attack Unfold?

The threat actors created emails which, at a quick glance, appeared official and claimed to provide a list of companies scheduled for tax inspections. The recipients were urged to download a zip file containing this list. However, contained within this ZIP file was a dangerous DLL file named lastbld2Base.dll. Once this file was activated, it set in motion a series of malicious actions – the most prominent of which was to download the Winos 4.0 malware. Winos 4.0 allowed the threat actors to take screenshots, record keystrokes, and remotely execute commands on the infected devices.

Once installed, Winos 4.0 gave the attackers deep access to the compromised systems. This access made the malware a powerful tool for carrying out espionage, especially given that the main targets appeared to be corporate businesses. These types of targets allowed the threat actors to gain access to huge amounts of personal data, rather than targeting individuals one at a time to harvest such data.

Security researchers believe that a hacking group known as Silver Fox are the perpetrators behind the attack. Silver Fox has a history of targeting Chinese-speaking users and has previously been observed using fake software installers and malicious game optimization apps to deceive victims.

Protecting Yourself from Such Attacks

This incident is further evidence that phishing campaigns are becoming more deceptive and underlining the importance of social engineering tactics for hackers. Many people glance over their emails quickly and, if they see an official and trusted government logo, the chances are that they’ll believe it’s genuine. However, it’s important that you and your employees stay safe, so make sure you practice the following:

  • Be Careful with Email Attachments: Always double check the authenticity of and email before downloading or opening email attachments, especially if they are unexpected or urge you to perform a specific action. If an email claims, for example, to be from a government agency, visit the official website to confirm its legitimacy before opening any attachments.
  • Keep Software Updated: Regularly updating your operating system and security software is crucial for protecting your PCs against known vulnerabilities. Many cyberattacks take advantage of outdated software with numerous vulnerabilities, so keeping your system up to date should be a priority at all times.
  • Educate Employees: Ensuring that your staff can recognize phishing attempts is crucial in 2025, as is carrying out safe email practices to prevent accidental exposure to malware or malicious links. Implementing cybersecurity awareness programs should be a priority for your IT inductions. Regular refresher courses should also be to help consolidate this learning.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Lazarus Exploits Open-Source Software and Infects it

cyberattack, data-stealing malware, Lazarus, North Korea, Ophtek, SecurityScorecard, , , , , ,
25
Feb 2025

North Korean hackers from the Lazarus Group have launched a major cyberattack by cloning open-source software and infecting it with malware.

A recent cyberattack has found the North Korean hacking group Lazarus targeting software developers by modifying open-source tools to include malware. Open-source software, freely available for anyone to use or modify, has become a crucial part of software development. However, Lazarus exploited this understanding by injecting malicious code into genuine software. This led to numerous systems becoming compromised, particularly those used by developers in the Web3 and cryptocurrency industries.

Lazarus Attacks Open-Source Software

SecurityScorecard, a cybersecurity organization, discovered that Lazarus had carried out a supply-chain attack known as “Phantom Circuit.” Lazarus selected popular open-source projects to target and embedded malicious code into them. These compromised tools were then uploaded to code-sharing platforms such as GitLab, where developers soon downloaded and started using them.

Once executed, the compromised software set about installing data-stealing malware on the victims’ PCs. The malware’s main objective was harvesting sensitive data such as login credentials, authentication tokens, and other security information. This gave the threat actors full and unauthorized access to their targets’ accounts, allowing them to modify and steal digital assets.

Over 1,500 victims were affected, with the majority being located in Europe, India and Brazil. SecurityScorecard were keen to point out that many of the victims were software engineers, mostly working in cryptocurrency and blockchain technology. In particular, Lazarus targeted modified repositories which hosted Web3 development tools, authentication systems, and cryptocurrency software. These are all attractive targets for threat actors who are looking to make a quick buck through nefarious means and cause digital chaos to IT infrastructures.

How to Protect Yourself

Lazarus has committed numerous cyberattacks in the recent past, with Ophtek previously reporting on their attack on healthcare organizations in 2023. A powerful hacking group, Lazarus has the potential to create powerful and devastating malware. Accordingly, you need to make sure your IT defenses are secure against them and similar hacking groups.

Cybersecurity awareness, as ever, is key to protecting your digital assets, so make sure you follow these best security practices:

  • Verify Your Software Sources: always double-check where your software is coming from before you hit that download button. Stick to official developer websites and trusted repositories e.g. regularly updated GitHub projects. If a new tool appears out of nowhere or is uploaded by an unknown user, think twice before installing it. If in doubt, remember the golden advice: double check it with an IT professional.
  • Keep Your Security Software Updated: first of all, make sure you have antivirus and anti-malware software protecting your systems – these can be downloaded from companies such as AVG and Kaspersky. Secondly, as new cyber threats emerge every day, you need to keep your security software up to date to protect you from new malware. Regular updates will ensure you stay one step ahead of the threat actors.
  • Train Your Employees: Well-trained employees are your first line of defense against cyber threats. Regular cybersecurity training can help your staff recognize phishing attempts, avoid suspicious links, and practice safe browsing and downloading habits. By keeping your team trained and up to date, you can ensure employees stay aware of evolving threats, reducing the risk of security breaches.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Threat Actors Start Hiding Malware within Website Images

archive.org, generative AI, malicious code, Obj3tivityStealer, Ophtek, Phishing, VIP Keylogger, website images, , , , , , ,
11
Feb 2025

Cybercriminals are increasingly embedding malware within website images to evade detection and compromise IT systems.

Recent investigations have revealed a growing trend among threat actors: hiding malicious code within image files hosted on trusted websites. This approach allows the attackers to bypass traditional security measures, which tend to trust well-known and widely used websites. As ever, the attack begins with a phishing email designed to trick the victim into unleashing the malware. The phishing email in question has taken numerous forms such as invoices or purchase orders. Once opened, the file exploits a Microsoft Office vulnerability.

Emails are an essential part of business, so it’s crucial that you understand how this attack works to keep your IT infrastructure safe.

Unpacking the Image Attack

The vulnerability at the heart of the attack can be found in Microsoft Office’s Equation Editor (CVE-2017-11882). This vulnerability enables a malicious script to run, downloading an image file from a trusted website (such as archive.org). The image may, to the average PC user, look harmless, but hidden within its metadata is a malicious code. This is used to automatically install spyware and keyloggers such as VIP Keylogger and Obj3tivityStealer. These slices of malware allow the threat actors to monitor your systems, harvest sensitive data, and gain access to financial information.

What’s interesting – or disturbing, depending on your perspective – about the attack is that it appears to harness the power of AI. Cybercriminals are increasingly turning to generative AI to create convincing phishing emails, malicious scripts, and even HTML web pages which can host malicious payloads. This is making attacks much easier to launch while also lowering the barriers to entry around your IT networks.

Keeping Your IT Systems Secure

No business wants keyloggers and spyware downloaded onto their IT infrastructure, so it’s vital that you keep it secure and protected. It’s impossible to keep it 100% safe, but you can optimize its strength by following these three tips:

  1. Regularly Update Your Software: make sure all your software, especially Microsoft Office applications, is up to date. Software developers release regular updates to patch vulnerabilities – like CVE-2017-11882 – which attackers seek to exploit. As well as enabling automatic updates, schedule regular checks for patches to ensure that critical updates are not missed. And remember, this applies to all software on your networks.
  2. Use Advanced Email Security: always utilize email filtering tools to automatically block phishing emails before they reach your staff. These highly effective solutions can scan all incoming messages for suspicious links, attachments, or blacklisted senders to prevent them from reaching your employee inboxes. Also, make sure your team are educated on the danger signs of a phishing email. Regular training and refresher sessions can help maximize the security of your first-line defenses.
  3. Monitor Network Activity: Use network monitoring tools to detect unusual activities, such as unexpected downloads or unauthorized connections. These tools can indicate potential threats early, allowing you to respond quickly before threat actors secure a foothold within your systems. Make sure that you establish a program of regular reviews for your activity logs, this approach will enable you to spot anomalies and take action.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malicious Chrome Extensions Threaten Millions

Bard AI Chat, ChatGPT, Cyber Attack, Facebook Ads, Google Chrome, Google Meet, malware, Ophtek, Phishing, , , , , , ,
04
Feb 2025

A recent cyberattack has compromised several popular Google Chrome extensions, infecting millions of users with data-stealing malware.

In early January 2025, cybersecurity researchers at Extension Total discovered a malicious campaign targeting Chrome extensions which offer AI services. The threat actors hijacked at least 36 extensions – including Bard AI Chat, ChatGPT for Google Meet, and ChatGPT App – with approximately 2.6 million users affected. This widespread attack has raised the alarm among users and software developers as, previously, these extensions were highly trusted.

With 3.45 billion people using Chrome as their browser, it’s no surprise that threat actors would target it. This attack is especially ingenious, so we’re going to take a deep dive into it.

How Were the Chrome Extensions Compromised?

The affected extensions may be named after popular AI tools like Bard and ChatGPT, but they are third-party applications with no development from Google or OpenAI. Third-party extensions can, of course, be legitimate, but these compromised extensions were far from helpful. Instead, they were used to deliver fake updates containing malware.

The malware was designed to steal sensitive user information, specifically targeting data related to Facebook Ads accounts. Therefore, this posed a significant threat to businesses which rely on Facebook for marketing and sales. With this stolen data, the threat actors could use it for unauthorized access, financial and identity theft, or to fuel phishing attacks.

In response to the attack, many of the affected extensions have been removed from the Chrome Store to limit further infections. However, others remain available, exposing users to the malware. Chrome, as we’ve already mentioned, is hugely popular with around 130,000 extensions are available to install. The risk of a security incident, as you would imagine, is high; this recent attack underscores the importance of practicing vigilance when installing extensions.

Staying Safe from Rogue Chrome Extensions

Browser extensions are designed to help users by enhancing functionality and making everyday browsing easier. However, this recent attack has also demonstrated that they’re a security risk. Ophtek wants to keep you safe from similar attacks, so we’ve put together our top tips for protecting your PC from rogue extensions:

  • Install Extensions from Trusted Sources: you should only ever download extensions from reputable developers and official web stores. Before hitting that install button, always carry out some research on the developer, read user reviews, and check ratings to assess how legitimate it is.
  • Limit Extension Permissions: extensions often require permissions to function correctly on your PC but be very careful of any extension which requests a long list of permissions e.g. access to browsing data, microphone control, and cookies. You should only ever grant permissions to what is necessary for the extension to operate. If in doubt of a permission request, seek help from an IT professional.
  • Update Extensions: always ensure your extensions are kept up to date, as developers often release patches to fix security vulnerabilities. Regularly check for updates and keep an eye out for any unusual browser behavior such as strange pop-ups, redirects to other sites, or performance issues. Additionally, if you have extensions you no longer use, remove these to reduce your exposure to risk

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 14