- Hackers take advantage of US Tax Day rush with phishing and malware
- Fake tax form sites via Google Ads remove ScreenConnect and disable defenses
- Campaign sets the stage for ransomware, also seen in fake Chrome updates
Experts have warned that cybercriminals are once again taking advantage of the short deadline of the next tax filing window to deploy malware and ransomware on people’s computers.
The April 15 tax deadline, also called simply Tax Day, is the last day most Americans have to file their federal income tax return and pay the taxes they owe.
Since many wait until the last minute to fix this issue, they rush to do so and, as Huntress security researchers say, “trust the first Google result they see.”
Article continues below.
No bragging rights
Huntress says she is seeing an increase in the number of people searching for specific U.S. tax forms, such as the W-2 or W-9. Hackers are taking advantage of this fact, creating fake landing pages and promoting them through Google Ads.
Therefore, when people search for these terms, they often land on malicious pages where they are offered ScreenConnect (now commonly called ConnectWise Control), a legitimate remote access tool that is often used for malicious purposes.
Researchers say the attack targets all types of people, from employees, freelancers and contractors to small businesses. Before running the remote access tool, attackers first drop a kernel driver that disables security tools like Windows Defender.
“Across our customer base, we reported more than 60 cases of malicious ScreenConnect sessions linked to this campaign that were used as an initial access vector,” Huntress emphasized.
While the tax-themed lure is trendy these days, it is not the only method being used. Huntress says she also saw a fake Chrome update page with JavaScript comments in Russian, “suggesting a broader social engineering toolset and a Russian-speaking developer.”
The campaign appears to be just the first step in a multi-stage attack. At this stage, criminals are establishing a foothold and collecting credentials, likely in preparation for ransomware deployment.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
