Emotet Spoofs IRS in Tax Season-Themed Phishing Email Campaign

By Max Gannon

Emotet has consistently employed financial themes in its phishing emails, and attackers have previously exploited the arrival of the U.S. tax season to construct emails targeting users who need to file tax returns. The 2022 tax season is no different. As early as March 14, 2022, Emotet operators returned to their old tax-season hunting grounds with some new tricks, as Cofense Intelligence™ observed phishing emails using W-9 tax form lures to deliver Emotet payloads.

In past years, Cofense Intelligence has reported on Emotet taking advantage of tax season to deliver W-9 themed malicious documents but, this year, the tactic has been improved. Emotet operators have upped their game in this most recent campaign, now including the Internal Revenue Service (IRS) logo, a specific mention of the organization employing individual recipients, and a password with which to extract the attached password-protected archives. When the Office-macro-laden spreadsheets enclosed in the password-protected archives are opened, they request that macros be enabled. If macros are enabled, Emotet .dll files are delivered to the victim’s computer.

Figure 1: IRS-spoofing email delivering Emotet

Emotet operators have inserted some variety into the text of these campaigns, likely to impede recognition by spam filters and secure email gateways (SEGs). A second example, in Figure 2, demonstrates these minimal changes, including a different subject line and signature block, with part of the body removed.

Figure 2: IRS-spoofing phishing email with some textual variety

Phishing threat actors not known to be associated with Emotet have also attempted to take advantage of tax season, primarily in credential phishing campaigns. While some, such as the campaign depicted in Figure 3, actually apply the tax theme to the body of the phishing email, many simply use tax-themed subject lines, without tailoring the message body or lure documents. We expect phishing activity of this nature to continue throughout the U.S. tax season. Notably, the campaign shown below uses an HTML attachment. Many organizations have configured their SEG to block password-protected zip files as a mitigating control. However, blocking an HTML attachment can be far more difficult, based on the volume of legitimate emails containing this attachment type.

Figure 3: Credential phishing email employing tax-season theme

Organizations can better track, and fend off, attacks such as these with Cofense Intelligence and tools. Human-vetted phishing threat intelligence affords timely, accurate and actionable insights. Contact us to find out how we can help keep your systems more secure.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Rewriting Romance Victim History: Common Truths and Falsehoods Told by Society

By Ronnie Tokazowski


Over the years I have worked with many people who track romance scams. I’ve spoken to analysts, psychologists, police officers, federal law enforcement, and most painfully: the victims.

As an observer to many of these efforts, friends and family are normally the first to see changes in the victim. Moods start to drastically change, victims become distant, and an emotional wedge starts to be placed between loved ones, leading to the relationship being questioned. Because of the current stigma and misconceptions around just how deeply romance victims are abused, attempts to help often lead to more hurt, because external observers do not account for the victim’s perspective. Before digging into the psychology, and physiology, of romance victims, let’s touch on one of the biggest misconceptions: the stigma.

False: Romance Scam Victims are Stupid

The biggest misconception is that all romance victims are stupid. This feeling and sentiment stems from an outside observer pointing out that the victim’s story doesn’t add up, with the ending of the conversation being “you need to get out of the relationship, you’re being stolen from.” Outside parties struggle to comprehend why someone would continue staying in a relationship after being presented with this information, which leads them to jump to the simplest conclusion: the victim must be uneducated, naive, and unable to listen to an outside party.

While it is true that the victim may not want to get out of the relationship, there is much more going on inside the victim than meets the eye. Victims are not stupid and, sadly, human psychology and physiology have a lot to play in this.

True: Romance Victims are Love-Bombed by Their Handlers

With the hopes of finding that special someone, humans across the world rely on social media and dating applications to find someone to love. Romance victims start out lonely just like everyone else, and when they feel like they found that special someone looking for the same thing, great! Scammers will use any means necessary, including playing on religion or eternal love, to string potential victims along. Victims fall in love and become hooked, with their bodies releasing more dopamine and oxytocin the longer they’re in the relationship. Because scammers bombard them with love, attention, and affection, victims become blind to the unfolding situation. And, because of this, having an outside observer challenge something they know (to them) is true, they push outside observers away.

Victims send money to their loved ones in need, because they love them. Who wouldn’t send money to a loved one in need, especially if they promised to pay you back?

True: Romance Victims are in Abusive Relationships

While it may seem counter-intuitive, victims of abuse stay in relationships longer than they should, with these claims being backed up by decades of psychology. Romance victims are no different, with scammers using extensive psychological manipulation and grooming to force victims to send or receive money. Scammers lie about where the money will be used, and what for, leaving victims even more confused about what’s going on. Victims rationalize the behavior because “no one would ever be that heartless,” but many scammers really are that heartless. They don’t understand the full scope of the damage they’re causing, doing anything they can to make a dollar bill.

Romance victims are left psychologically and emotionally abused to the point where they become a shell of their former selves, with society turning a blind eye and labeling victims as stupid. They shut down, internalize everything, and lose all hope of getting out of the relationship.

How to Talk with Romance Victims

Be kind and gentle.

As you read this, you might have a family friend in mind who is a victim of a romance scam. You may have even talked with them and found yourself angry or frustrated because they couldn’t see through the crime. In your mind it’s fraud, but in their mind it’s love. Victims live in emotionally and psychologically abusive relationships, with decades of research explaining how difficult it is for victims to get out of the relationship. Victims rationalize the behavior of their abusers, making it even more difficult to get out of the relationship.

If a friend or family member is a victim, avoid being offensive or confrontational or the victim will emotionally shut down. It takes insurmountable strength and courage to come forward and talk about what’s going on, and if the victim senses any negativity they will quickly close up. Let the victim talk so they can explain things from their perspective because, to them, the person is real.

If You’re a Romance Victim…

It’s important to know that you are not alone and the emotions, feelings, and experiences you’re going through are completely valid. You have been lied to by someone who wanted to use you to make money, which can be extremely difficult to come to terms with. In addition, the body becomes physiologically dependent on the feel-good chemicals (dopamine and oxytocin), making it even harder to break the cycle.

It’s okay to ask for help. Talking with a therapist can give you the necessary tools to help guide yourself out of the situation. In addition, exercise and meditation can help victims regain control of the parasympathetic nervous system, or the part of the nervous system that’s responsible for calm and a sense of relaxation within our bodies. If you want to report any possible crimes to local law enforcement, be cautious, as many local police departments are still stuck in the ways of “victims are stupid.” It will take time for the stigma to lift, so the better place to report the crimes is IC3.gov.

And if you’re a victim and have made it this far, you’re a survivor. Don’t let the scammers keep taking advantage of you. You got this.

Unfortunately, there is no single technology solution to this type of crime. Instead, it’s best fought through user awareness. Cofense can help. Our BEC microsite offers scam resources, and guidance for contending with email and other types of compromise. You may also be interested in our blog post, Six-Year Reflection – What is Business Email Compromise Today.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Russia-Ukraine Conflict Leverages Phishing Themes

By Dylan Duncan

Phishing Attacks Exploit Russia’s Invasion of Ukraine, Multinational Organizations Targeted

As the conflict in Ukraine unfolds, Cofense Intelligence continues to monitor for phishing threats related to the conflict and has identified malicious campaigns that are using this current event as a lure to target end users. These campaigns are almost certainly opportunistic, as threat actors are weaponizing the conflict for financial gain by creating well-crafted credential phishing campaigns and donation scams. Threat actors using current events as themes within their email campaigns is quite common, and users should be universally vigilant against these threats. A variety of emails using this conflict as a lure have been reported to the Cofense Phishing Defense Center (PDC) directly from enterprise users’ inboxes. We have no evidence to suggest – based on IOCs, tactics, or campaign sophistication – that any of these campaigns were conducted by nation states directly involved in the war in Ukraine.

The overall volume of the phishing emails we have observed using the Russia/Ukraine conflict as a theme is low. However, some credential phishing and scam emails have made it into the inboxes of large multinational organizations in two separate industries. Each of the campaigns uncovered is focused on receiving cryptocurrency as a payout by directing the focus of the campaign toward cryptocurrency marketplace login credentials, or by requesting payment to a crypto wallet. In addition, some advance fee fraud emails have referenced the conflict as a social engineering effort. We know these have been sent by threat actors but have not seen them reported by enterprise end users.

Example 1: Sanctions-Themed-Emails Targeting Cryptocurrency Marketplace Credentials

This phishing email used the subject of sanctions against Russia in targeting employees at a European financial service provider, as seen in Figures 1 and 2. The campaign spoofs the login page of popular German Bitcoin marketplace bitcoin.de, targeting login credentials with the likely intention of stealing cryptocurrency. Multiple variants of the email were discovered, but all used the sanctions against Russia to add social engineering pressure within the phishing campaign. The email was originally in German but has been translated to English for this report.

Figure 1: English translation of a bitcoin.de-spoofing email with Russian Sanction lure.

 

Figure 2: Original bitcoin.de-spoofing email with Russian Sanction lure.

Example 2: Humanitarian-Aid-Themed Scam Seeks Cryptocurrency

The image in Figure 3 shows an example of an email scam spoofing the Ukraine Red Cross Society, aiming to scam donors into cryptocurrency donations to a private wallet. The scam claims that funds will be used for logistical and medical support of Ukraine armed forces and civilians. This scam is not particularly sophisticated in its construction and is more likely to impact individuals than organizations. However, as noted above, it has reached inboxes at a multinational company.

Figure 3: Ukraine Red Cross Society-spoofing emails requesting donations.

Example 3: Advance Fee Fraud

Threat actors often use world events as themes within advance-fee fraud operations, as part of unsophisticated social engineering efforts intended to convince victims of their sincerity. A number of recent emails using the Russia/Ukraine conflict as a theme have this objective. The image in Figure 4 shows the text of one such social engineering effort. We have not observed any of these emails actually reaching corporate inboxes, but they demonstrate how this conflict may be used by threat actors at any sophistication level.

Figure 4: Russia/Ukraine conflict advance fee fraud email.

Indicators of Compromise

Table 1: Related phishing URLs for the Russia and Ukraine-Conflict-Themed Crypto credential phishing campaign.

Indicators of Compromise Description
hxxp://gefanet[.]com/?2DsZFmK7MA Phishing URL embedded in email
hxxp://pro-trux[.]com/?bEtW8e5IBm Phishing URL embedded in email
hxxps://bit[.]ly/3piqMWI Phishing URL embedded in email
hxxp://bobaylsworth[.]com/?0TtBfkonYL Phishing URL embedded in email
hxxp://latahina[.]com/?MuXhL1T4U3 Phishing URL embedded in email
hxxps://bitcoin[.]de-schutz-kundenkonto[.]com/btc/ Spoofed Bitcoin[.]de login page
hxxps://bitcoin-kundenupdate[.]com/btc/ Spoofed Bitcoin[.]de login page
hxxps://strato[.]de-kundenkontrolle-verifkation[.]com/panel/live[.]php PHP panel to harvest login credentials
hxxps://strato[.]de-kundenkontrolle-verifkation[.]com/panel/auth[.]php PHP panel to harvest login credentials

Table 2: Crypto Wallet from the Ukraine Red Cross Society-spoofing scam email.

Crypto Wallet
bc1qa8gafgj8807pergjctdlsxa2rd0hxpk0qupqge

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.