UK taxpayers have been warned to be on high alert after a wave of booby-trapped emails was recently caught posing as tax return messages from Her Majesty’s Revenue & Customs (HMRC). When opened, they would infect unwitting users with a notorious Trojan virus.
According to cybersecurity firm Trustwave, the HMRC scam was found to be in circulation on 6 September this year, with the fraudsters deploying spoofed email messages containing links to the “JRat” Trojan, which can give hackers full control over targeted computers.
The spam email campaign was sent from domains that closely resembled those used by the legitimate HMRC – in this case it was using “hmirc-gov.co.uk.”
The phishing messages contained the subject line “VAT Return Query” and went on to inform recipients that a recent tax filing had a series of vital errors.
“Motivated by lucrative returns and equipped with modern malware, these cybercriminals capitalise on events to launch phishing attacks targeting global victims,” said Fahim Abbasi, a researcher at Trustwave, in a blog post dated 13 October.
The body of the email contained an image of a PDF document, but no actual attachments.
Instead, clicking on the link would bring the victim to the Microsoft OneDrive cloud-based file sharing service that downloaded the infectious payload.
The team said the popularity of the JRat Trojan was spiking because it has become “very affordable” on the criminal underground – now priced at £22 ($29).
Abbasi noted: “Scammers exploit the simplicity provided by email to further their cause.
“These cybercriminals are well aware of online processes and dependence of online mechanisms used by both public and private sector organisations.
“They are also aware of various deadlines such as those used by governments for tax returns and use this information to instil a sense of urgency.”
In the UK, there were up to 250,000 companies that had to file tax returns before the end of September, according to the Companies House section of the HMRC website.
The spoofed HMRC phishing messageTrustwave
“These phishing attacks lure their victims into downloading malware disguised as fake VAT return documents using spoofed messages appearing to have been sent from the government tax department,” Abbasi continued.
“We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defences. Users need to be particularly careful since such scams are quite active during tax return season.”
It remains unclear if any of the phishing emails were successful at infecting victims.