- Hackers are taking advantage of the US Tax Day rush with phishing and malware
- Fake tax form sites via Google Ads drop ScreenConnect and disable defenses
- The campaign sets the stage for ransomware, also seen with fake Chrome updates
Cybercriminals are once again taking advantage of the short deadline for the upcoming tax filing window to deploy malware and ransom money to people’s computers, experts have warned.
The April 15 tax deadline, also known simply as Tax Day, is the last day most Americans have to file their federal tax returns and pay the taxes they owe.
As many wait until the last minute to fix this problem, they rush to get it done, and as security researchers Huntress says, “trust the first Google result they see.”
The article continues below
No bragging rights
Huntress says it’s seeing an increase in people searching for specific U.S. tax forms, such as the W-2 or W-9. Hackers take advantage of this fact, create fake landing pages and promote them through Google Ads.
Therefore, when people search for these terms, they often land on malicious pages where they are served ScreenConnect (now commonly branded as ConnectWise Control), a legitimate remote access tool often used for malicious purposes.
The researchers say the attack targets all kinds of people, from employees, freelancers and contractors to small businesses. Before running the remote access tool, the attackers first drop a core driver that disables security tools such as Windows Defender.
“Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions linked to this campaign being used as the initial access vector,” Huntress emphasized.
While treasure-themed baiting is currently trendy, it is not the only method used. Huntress says it also saw a fake Chrome update page with JavaScript comments in Russian “suggesting a broader social engineering toolkit and a Russian-speaking developer.”
The campaign appears to be just the first step in a multi-stage attack. At this stage, the bad guys are establishing a foothold and harvesting credentials, likely in preparation for deploying ransomware.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
