Tax season brings different meanings for different groups of people. For employers, this is the time of year when they need to ensure that tax information for their staff is in order and that they disperse the correct paperwork. For general citizens, this is a hopeful time that could be capped off with a tax refund. However, hackers also look to take advantage of the season for their own malicious gains.
In recent years, cybercriminals have used tax season to their benefit, tricking unsuspecting users into giving up a wealth of personal information that can be easily used for fraudulent purposes. Between the months of January and April, black hats deploy new threats to capture data, and unfortunately, this year is no different.
This year's main threat: TorrentLocker
According to research from Trend Micro, there have been two spam campaigns targeting users this year. One of which is more typical, and includes a socially-engineered spammed email message with a malicious link leading to a phishing page. This is the kind of threat that is seen quite often, particularly around tax time.
The other, however, is not so commonplace. Although it initially appears as a regular phishing scam, it hides another even more malicious threat under the surface.
"The second spam campaign sample … purports itself to be from the Office of State Revenue," Trend Micro noted in a blog post. "It directs users to click on a button that leads them to a phishing page. This page also downloads a strain of TorrentLocker onto their systems, namely TROJ_CRILOCK.XWE."
As Trend Micro pointed out, TorrentLocker is a type of malware dubbed ransomware. This malware strain, along with other samples like CryptoLocker, typically presents a warning to users, alerting them that their important files and information has been encrypted. The threat notifies victims that they can have this content unlocked if they pay a fee, or ransom, to the cybercriminals.
These types of malware samples have been around for quite some time, but became rampant in the recent years. As the number of ransomware victims rose, researchers realized that nearly everyone was a target – individual users to city police departments were being infected.
Despite the warning stating that files would be decrypted once a fee was paid, this was not always the case. Some victims did send along the ransom – usually demanded in Bitcoin or other untraceable cryptocurrency – and were horrified when their files were not unlocked.
Not unique to tax season
Tax season seems a prime time of year to carry out a threat using ransomware. Imagine being a victim, having your files locked, and not being able to obtain the information you need to complete your taxes and receive your refund. In the minds of many hackers, this provides the motivation victims need to pay the ransom.
However, Trend Micro noted that events like tax season encourage attacks like this.
Cybercriminals pride themselves on disguising their malware with realistic and legitimate appearing messages which lure users into willingly clicking on malicious links and infecting their systems. Trend Micro was able to obtain an example of the message hackers are using with the TorrentLocker threat, which reads, in part:
"The reason you may have received the reassessment = notice is that We impose interest for your tax assessment. Our records show that the mistake has been made while p=ying an amount of tax or levy specified in a Notice of assessment, by the d=e date specified in the notice."
Despite the spelling issues, this could still be a convincing statement for users who are unaware that these types of threats exist.
A new ransomware threat
Although other samples have claimed victims in similar way in the past, iSightPartners noted that the coding for TorrentLocker is considerably different from that of CryptoLocker and CryptoWall. As a result, it is believed to be a brand new ransomware sample, first discovered in the fall of 2014 and increasingly leveraged during the 2015 tax season.
TorrentLocker utilizes the Rjindael algorithm to encrypt files. It firsts connects to a command and control server to exchange a certificate and is then able to prevent users from accessing their files.
Trend Micro noted that a main way to prevent infection is to be aware of the threat. With this knowledge, users are able to better spot messages and links that might be attached to ramsomware infections like this.
"To avoid becoming victims to these threats, users need to recognize that seasonal events (such as tax season) always has socially-engineered threats like these," Trend Micro stated. "The same goes for any big worldwide events or controversial news (World Cup, Olympics, celebrity deaths). From there, it's a matter of not opening suspicious emails that ask you to click on links or opening archives."