One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8643735 |
| Date de publication | 2025-01-28 14:12:52 (vue: 2025-01-28 10:10:48) |
| Titre | Security Brief: Threat Actors Take Taxes Into Account |
| Texte | What happened Proofpoint researchers have identified an uptick in campaigns and malicious domains impersonating tax agencies and related financial organizations. This activity aligns with the general increase in tax-related content our researchers typically observe every year from December through April, especially as tax deadlines in the United Kingdom and United States are top of mind for businesses. Generally, phishing lures leveraging tax themes impersonate government agencies or financial services organizations that users would engage with to file taxes or submit business relevant documentation. UK targeted phishing Proofpoint has observed multiple campaigns impersonating HM Revenue & Customs (HMRC). Attackers will use branding and language related to HMRC in phishing lures in an attempt to convince users the email is legitimate. In one campaign that began on 12 January 2025, the threat actor used “account update” lures impersonating HMRC. HMRC lure impersonating the agency and distributing credential phishing. These messages contained URLs leading to actor-controlled credential harvesting websites designed to capture usernames and passwords. HMRC impersonated website. The websites impersonated HMRC in an attempt to steal personal information that could be used for fraudulent activity. This campaign included a small number of messages impacting multiple organizations in the UK. HMRC maintains a list of common phishing and scam lures to educate users on the ways attackers abuse the brand for social engineering purposes. U.S. targeted phishing Proofpoint\'s Takedown team has observed hundreds of malicious tax-themed domains used in email campaigns in the first few weeks of January 2025. These domains impersonate legitimate companies, applications, and services that are related to accounting, tax filing, and payments. This infrastructure can be used in phishing and malware campaigns targeting organizations with lure content also impersonating these tax related companies. But not all campaigns leverage lookalike or impersonated domains. On 16 January 2025, Proofpoint identified a campaign impersonating Intuit, but the email sender and phishing infrastructure was generic, with only the path portion of the URL indicating it was a tax-themed campaign. For example, emails purported to be from Intuit: From: Intuit QuickBooks Subject: Your Tax file Form was rejected Email impersonating Intuit (left); credential phishing landing page (right). Emails contained URLs to a fake Intuit authentication page designed to harvest user credentials. In this case, the path portion of the phishing URL indicated brand abuse, in addition to the website impersonating the company (for example: hxxps://fotolap[.]com/.wp-admin/cgi-/intuit/inuit4//). This campaign included over 40,000 messages impacting over 2,000 organizations. Proofpoint regularly identifies activity impersonating U.S. tax agencies and related organizations, and this activity typically increases in the first quarter of the year. Swiss targeted fraud While tax seasons around the world are prime timely themes for threat actors, tax-related lures are often used by threat actors even outside of filing seasons. For example, on 18 December 2024, Proofpoint identified a fraud campaign targeting Swiss organizations. Messages purported to be federal tax payment reminders and impersonated the Federal Tax Administration. These messages contained URLs leading to a legitimate Revolut payment page, asking users to send a payment via credit card. Proofpoint researchers believe this was not an attack to harvest credit card details, but to get users to pay to an adversary-owned or controlled Revolut account. Email lure prompting users to pay into a suspected fraudulent/ |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | from: subject: /intuit/inuit4// /intuit/inuit4// /intuit/inuit4//panel /intuit/inuit4//res 0/snippets/nippleschusu/o7re59/ 000 02&sr=b&sig=lcxyvo386dh3ypoxy2j6l 08t00:09:33z&spr=hxxps&sv=2022 102 159 16t16:09:33z&se=2025 170:8654 2024 2024 2025 2025 208 2352223 26newramayan 2bkikqycrftt1nw3vlhiwko 3d a424483e2d592dcf896a00c8c104be8d1de41925/files/cpa1 about abuse abused account accounting across activity actor actors addition additional admin/cgi administration adversary agencies agency aggah ahead aligned aligns all allegedly allowing also answers anti api/2 applications april are around asking asyncrat attack attackers attacks attempt attempted attribute australia australian authentication authoritative automated azure before began believe blob blogspot brand branding brief: browsing business businesses but c2 called campaign campaigns can capture card case cbdc9a06673740a6aae9a5c61db6da30 chf co/dl9vqurq7g codes collate com/ com///////nunuchabutra com/atom com/gov/ com/wen/approve/ com/xxx/rest common commonly communications companies company compromise concerned conducting contained content continued controlled conveniently convince convincing core could credential credentials credit customs ddos deadlines december deliver delivering description designed details dev/indexqu different distributing documentation domains download duties earlier educate either email email emails engage engineering especially evasion even every example example: expecting fake federal fees file filing finance financial fines first form fraud fraud fraudulent fraudulent/abused fraudulently from general generally generic get government happened harvest harvesting has have hmrc hosted houzhenkun html html hundreds hxxps://185 hxxps://7fasl hxxps://a hxxps://bitbucket hxxps://clearlivate hxxps://cpa01 hxxps://drakesoftware hxxps://fotolap hxxps://pub hxxps://revolut hxxps://t hxxps://www hxxps://yungbucksbbq identified identifies identify impacting impersonate impersonated impersonating important included including incorrectly increase increases indicated indicating indicator indicators information infrastructure interest intuit intuit: invoice ir/gov/ issued january javascript kingdom known landing landscape language law leading left legitimate leverage leveraging line linking list lookalike lua lure lures made mail mails maintains majority make malicious malware malware matters me/swisstaxadm message messages metastealer mfa microsoft mind multifactor multiple mygov net/drakesoftware/ nginx not notices number observe observed office often one only org/ organization organizations other outside over owned page page partial partnered party passwords path pay payloads payment payments pdf people personal phishing phishing php portal portion powershell prime prompting proofpoint protected purported purposes quarter questions quickbooks ran receiver receiving recently recipient recipients redirect regularly rejected related relevant reminders remote requested required researchers revenue revolut rhadamanthys rhadamanthys right run scam script seasons security seen send sender services should small social software solutions sp=r&st=2025 spoofed states steal subjects submit submitting such suggesting suspected swiss take takedown targeted targeting tax taxation taxes team techniques themed themes then these third threat threatened through throughout time timely told top top/admin/gov/ two txt typically united unrelated updates update” uptick url url urls use used user usernames users using various venomrat warnings ways website websites weeks what who why will windows world worried would xml xworm year your zgrat “account |
| Tags | Malware Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.