This tax-themed malvertising attack can blind security software before it arrives — and then unleashes ransomware
- Hackers exploit US Tax Day rush with phishing and malware
- Fake tax form sites via Google Ads drop ScreenConnect and disable defenses
- Campaign sets stage for ransomware, also seen with fake Chrome updates
Cybercriminals are once again taking advantage of the short deadline for the upcoming tax filing window to deploy malware and ransomware to people’s computers, experts have warned.
The April 15 tax deadline, also simply called Tax Day, is the last day most Americans have to file their federal income tax return and pay any taxes they owe.
Since many wait until the very last moment to address this problem, they rush to get it done and, as security researchers Huntress say, “trust the first Google result they see.”
Article continues below
No bragging rights
Huntress says it is seeing an increase in people searching for specific US tax forms, such as W-2 or W-9. Hackers are leveraging this fact, creating fake landing pages and promoting them through Google Ads.
Therefore, when people search for these terms, they often land on malicious pages where they are served ScreenConnect (now commonly branded as ConnectWise Control), a legitimate remote access tool often used for malicious purposes.
The researchers are saying the attack targets all sorts of people, from employees, freelancers, and contractors to small businesses. Before running the remote access tool, the attackers first drop a kernel driver that disables security tools such as Windows Defender.
“Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector,” Huntress stressed.
While the tax-themed lure is currently trendy, it’s not the only method being used. Huntress says it also saw a fake Chrome update page with JavaScript comments in Russian, “suggesting a broader social engineering toolkit and a Russian-speaking developer.”
The campaign seems to be just the first step in a multi-stage attack. At this stage, the crooks are establishing a foothold and harvesting credentials, likely in preparation of ransomware deployment.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Hackers exploit US Tax Day rush with phishing and malware Fake tax form sites via Google Ads drop ScreenConnect and disable defenses Campaign sets stage for ransomware, also seen with fake Chrome updates Cybercriminals are once again taking advantage of the short deadline for the upcoming tax filing window to…
