Tax scam
Image: Olga Delawrence via Unsplash/Photomosh

‘Tactical Octopus’ hackers using tax-related phishing scams to spread malware

Researchers are warning about a group of hackers that are using tax-related email lures to spread dangerous malware.

Cybersecurity experts at Securonix said they have been tracking the group known as TACTICAL#OCTOPUS for months in advance of the April 18 U.S. tax deadline, finding that they are using seemingly valid employee W-2 tax documents, I-9 forms, and real estate purchase contracts to get people to download malware that gives the hackers wide-ranging access to devices.

The attacks typically start with emails that contain password-protected .zip files with tax-related names like “TitleContractDocs.zip” or “JRCLIENTCOPY3122.zip.” Within the .zip file is a single image file, typically a .png, and a .lnk file.

“Code execution begins when the user double clicks the shortcut file,” the researchers said. The TACTICAL#OCTOPUS campaign is overall relatively complex from an initial compromise standpoint.”

Other files, including a fictitious PDF, are then downloaded onto the victim's computer and eventually opened in the default PDF viewer. Securonix said from there, the attackers have access to the victim’s system. They observed the hackers using tools to capture clipboard data and track keystrokes.

The researchers noted that two of the IP addresses identified in the attack were registered to Petersburg Internet Network Ltd. in Russia, while a third address was linked to U.S.-based company Des Capital B.V.

While this may indicate the attackers are in Russia, there is the possibility that it is a false flag operation attempting to obfuscate the attack’s true origins.

“Since all the samples that Securonix Threat Research identified are fairly recent, it’s clear that this campaign is still ongoing,” they said. “Businesses and individuals should be extra vigilant when opening tax-related emails, especially as the tax deadline in the US approaches.”

The campaign is part of a trend of annual tax-related scams that ramp up at the beginning of each year. The Internal Revenue Service (IRS) identified $5.7 billion in tax fraud schemes last year, more than twice the amount reported in 2021.

Last week, the IRS released a warning urging everyone to “remain vigilant against email and text scams aimed at tricking taxpayers about refunds or tax issues.”

"Email and text scams are relentless, and scammers frequently use tax season as a way of tricking people," said IRS Commissioner Danny Werfel. "With people anxious to receive the latest information about a refund or other tax issue, scammers will regularly pose as the IRS, a state tax agency or others in the tax industry in emails and texts. People should be incredibly wary about unexpected messages like this that can be a trap, especially during filing season."

In an effort to protect taxpayers, the IRS started a “Dirty Dozen” list of common scams that people may encounter.

Many of these schemes – which range from promotions of false fuel tax credit to fake charities to exploit taxpayers – peak during filing season as people prepare their returns or hire someone to help with their taxes.

Researchers at cybersecurity startup ArmorBlox exposed a campaign two weeks ago that used fictitious email accounts, like “Social Security Administration-2521,” to impersonate the Social Security Administration.

The emails, which went to more than 160,000 mailboxes, included attachments that claimed a person’s Social Security number had been terminated.

“The main action the bad actor aimed to facilitate through this email attack was for recipients to call the [included] customer service number … taking this attack away from email to phone, a true vishing attack,” ArmorBlox’s Lauryn Cash wrote, referring to scams conducted over the phone impersonating companies.

BlueVoyant’s Austin Berglas, a former FBI Cyber Division special agent, told Recorded Future News that it is very common for tax preparation software users to download their documents and email to their accountant or another authorized party.

“It is important that the documents are password protected prior to sending and that the user's email account is secured with the same guidelines used for protecting third party accounts,” he said.

“Email is a top target of cyber criminals and can be a great source of interesting and valuable information if not secured by strong passwords and MFA [multi-factor authentication].”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.