As tax season comes to a close, researchers at a cybersecurity company are seeing a new type of phishing attack embedded within documents sent via email to tax professionals.
Consumers aren’t the only category of people being hacked. Professionals of all kinds, and in this case, tax professionals, are being targeted for theft of valuable digital information they may have stored on their computers. And in recent weeks, it’s been observed that international hacking efforts have been heavily ramped up at all levels!
Because this involves any tax professionals that you may work with, you should consider having a conversation with them to find out what kind of security measures they have in place to keep your private and personal information safe.
Researchers at Abnormal Security reported Wednesday they have detected cybercriminals posing as potential tax clients and targeting tax professionals ahead of April’s deadline. Once they make contact, the hackers deliver a version of the remote-access tool Sorillus disguised as tax documents via email.
Sorillus is a commercial remote access tool, or RAT, that offers obfuscation and encryption features. The tool is able to collect confidential information including a hardware ID, username, country, language, webcam, headless, operating system, and client version from targets.
“Between Feb. 24, 2022, and March 4, 2022, we identified more than 130 emails from threat actors posing as potential clients,” wrote Abnormal Security threat researcher Belem Regalado and threat intelligence analyst Rachelle Chouinard in a recent blog post. “The emails claimed the sender was attempting to locate a CPA ahead of April’s deadline and obtain individual or business tax filing services for this year. However, each email delivered not the promised tax documents but instead an obfuscated version of the remote access tool (RAT) Sorillus.”
The emails came from 10 different addresses but had similar subject lines such as “dawn.simpson Return Service 2021.”
After the initial contact, the hackers sent follow-up messages containing a file share link to the Sorillus remote access tool hidden beneath the text, pretending to be a simple PDF file attachment. In reality, the file was a ZIP-compressed archive containing a JAR (Java archive) executable file.
The company is urging tax professionals to avoid opening any attachments or links in emails sent from new or prospective clients until they, or a member of their staff, has spoken with the client directly, or to upgrade their email security.
The Internal Revenue Service has also been urging tax professionals to beware of tax season phishing and related spearphishing scams. In February, the IRS warned about a phishing scheme that aimed to steal their tax prep software credentials.
As mentioned, clients and tax professionals should have a conversation about the security of all the private data and information being stored, in light of the extraordinary amount of hacking and cybercriminality going on right now. It’s likely only going to be amped up further.
And remember, if you need tax resolution assistance, don’t hesitate to reach out to me or any of my Tax Problem Solver Team, and we can help you with whatever’s going on. Contact me by one of the methods below in the blue box, or email me at Larry@TaxProblemSolver.com and we can review your specific issues and solve them. You can also click here to book a free consultation.
Would You Like to Find Out What Your
Next Best Steps Should Be?
Choose one of the 3 FREE contact methods that is easiest for you.
Schedule a Call with Us
Click the calendar button below to view our appointment calendar, and choose a day & time, and we’ll call you then.
We look forward to your free consult!
Call Us Now
Click the phone button below to either "click to call" or direct dial a number to speak with us right now.
We look forward to speaking with you!
9-Secrets You Need to Know
When the IRS is after you, you need to be informed. What you say to the IRS can be used against you.
Get My 9 Secrets email series now. I'll also add you to my newsletter.