IRS Tax Avoidance Scam
There is a current fraudulent email campaign, the IRS Tax Avoidance scam. An example of the fraudulent email is below, which prompts the user to open “balance report” attachment. Because the attachment appears to be a Word file, most users will readily trust the file and proceed to open the file to find out more.
The file is actually in Rich Text Format (RTF) and contains a hidden executable. Upon opening the file, an error is reported and the user is asked to double click to restart Word. Doing so will open the executable as shown below, with most unsuspecting users allowing the malicious file to run.
Two processes are started and added to Windows startup to run on subsequent boots, microsoft.exe and wks.exe. These processes send data back to the attacker using HTTP connections to their call home destination. zvelo is flagging these sites as Malicious to protect any victims of this attack.
These call home destinations are even disguised as a Google search page to evade detection by web filtering companies and automated systems which may detect the site as a search engine.
At the time of writing, Virus Total reports only a 25% detection rate on the most recent samples.
Users should be very cautious with any unsolicited emails, particularly those containing an attachment. The IRS will never email you if they need to contact you, and any emails appearing to come from them are very likely malicous scams. As noted on the IRS website, “The IRS does not initiate taxpayer communications through email.”