| Last week, the NJCCIC reported increased phishing attempts targeting NJ state employees by impersonating the IRS. Proofpoint analysts noted a rise in tax-themed phishing campaigns, particularly as tax deadlines approach in the US and the UK. Likewise, these campaigns were also observed targeting NJ state employees. These phishing attempts typically impersonate government or financial organizations connected to tax filing. In early January, Proofpoint identified hundreds of malicious domains linked to tax-related campaigns, many of which impersonated legitimate companies. |
 |
| Email impersonating Intuit (left); credential phishing landing page (right). Image Source: Proofpoint |
| One campaign observed on January 16 impersonated Intuit but used a generic sender with a URL directing users to a fake authentication page to harvest credentials. This campaign delivered 40,000 emails and impacted over 2,000 organizations. |
 |
| Malicious email impersonating tax software. Image Source: Proofpoint |
| While most tax-themed campaigns typically focus on credential phishing, some were also observed delivering malware. A separate campaign impersonated a tax software company that distributed two malware payloads via a JavaScript file hosted on Microsoft Azure, leading to the deployment of Rhadamanthys malware and zgRAT. Additionally, various unrelated campaigns impersonating tax agencies and software have been observed attempting to deliver different malware payloads, including MetaStealer, XWorm, AsyncRAT, and VenomRAT. |
| Recommendations |
| Beware of communications claiming to be from the IRS. The IRS does not contact individuals by phone, email, or text message to solicit information or money. Instead, the IRS sends notices and bills through postal mail. Facilitate user awareness training to include these types of phishing-based techniques. Avoid clicking links, opening attachments, responding to, or acting on unsolicited text messages or emails. Type official website URLs into browsers manually. Ensure multi-factor authentication (MFA) is enabled for all online accounts. Consider leveraging behavior-based detection tools rather than signature-based tools. Technical details, TTPs, and indicators of compromise (IOCs) can be found in the Proofpoint blog post. Report phishing emails and other malicious cyber activity to the FTC, FBI’s IC3, and the NJCCIC. |