- Hackers exploit US Tax Day rush with phishing and malware
- Fake Tax Form Sites via Google Ads Abandon ScreenConnect and Disable Defenses
- Campaign paves the way for ransomware, also visible with fake Chrome updates
Cybercriminals are once again taking advantage of the short notice of the next tax reporting window to deploy malware and ransomware on people’s computers, experts have warned.
The April 15 tax deadline, also simply known as Tax Day, is the last day most Americans have to file their federal income tax return and pay the taxes they owe.
As many wait until the very last moment to resolve this problem, they rush to do so and, as security researchers Huntress put it, “trust the first Google result they see.”
Article continues below
No bragging rights
Huntress says she’s seeing an increase in people searching for specific U.S. tax forms, such as W-2 or W-9. Hackers exploit this fact to create fake landing pages and promote them through Google Ads.
Therefore, when people search for these terms, they often land on malicious pages where they are served by ScreenConnect (now commonly known as ConnectWise Control), a legitimate remote access tool often used for malicious purposes.
Researchers say the attack targets all kinds of people, from employees and small businesses to freelancers and contractors. Before running the remote access tool, attackers first remove a kernel driver that disables security tools such as Windows Defender.
“Across our customer base, we have reported over 60 instances of malicious ScreenConnect sessions related to this campaign being used as an initial access vector,” Huntress highlighted.
Although tax appeal is currently in vogue, it is not the only method used. Huntress claims to have also seen a fake Chrome update page with JavaScript comments in Russian, “suggesting a broader social engineering toolkit and a Russian-speaking developer.”
This campaign appears to be only the first step in a multi-stage attack. At this point, the crooks establish a presence and harvest credentials, likely in preparation for deploying the ransomware.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
