IRS Tax Forms Pose Malware Threat, Experts Warn

According to cybersecurity experts at Palo Alto Networks and Malwarebytes, hackers often impersonate the IRS in their efforts, and they have recently uncovered two distinct phishing campaigns using varied methods.

A phishing campaign discovered by cybersecurity researchers reveals that hackers are sending fake W-9 tax forms through email, impersonating the IRS. However, the form is a disguised Emotet malware, capable of stealing sensitive information from infected endpoints and propagating itself. The Emotet malware can also serve as a dropper, enabling attackers to distribute various other types of malware, such as ransomware.

Following Microsoft’s decision to block macros in downloaded Office documents by default, Emotet adopted a new strategy, utilizing Microsoft OneNote files containing embedded scripts to install the malware.

When initiating the embedded VBScript file, Microsoft OneNote will alert the user of the possible malicious nature of the file. However, it has been observed that many users tend to disregard these warnings and proceed to run the files, as evidenced by past experiences. Upon execution, the VBScript downloads the Emotet DLL and triggers its operation via regsvr32.exe.

If you receive an email requesting W-9 or other tax forms, it is recommended that you scan the documents first with your local antivirus software. However, as these forms contain sensitive information, it is not advisable to upload them to cloud-based scanning services like VirusTotal.

Typically, tax forms are disseminated in the form of PDF documents rather than Word attachments. Therefore, if you receive a tax form as a Word attachment, it is advisable to refrain from opening it and enabling macros.

It is highly unlikely for tax forms to be distributed as OneNote documents, so it is recommended that you delete the email immediately and avoid opening it if you receive one.