BILLIONS of email users across Gmail, Outlook, iPhones and Androids are being warned of an email scam impersonating the IRS to hack your personal device.
Last month, security blog Malwarebytes Labs stumbled upon the fake email scheme and found that it was attempting to install a malware called Emotet onto devices to access personal data.
The security blog revealed that their own senior director of threat intelligence found the email.
The dangerous message is simple in appearance and claims to be sent from the “IRS Online Center.”
With a subject line of “IRS Tax Forms W-9,” the email is made up of little text.
It reads: “Let me know if you would like a hard copy mailed as well. Respectifully [SIC] Barbara LaCosta, Inspector, Department of Treasure.”
Attached to the email is a document titled “W-9 form.zip.”
According to a screenshot from Malwarebytes labs, the file is 709KB – a suspiciously large size.
The blog revealed that file sizes that are more than 500MB is a “potential indicator” that the malware Emotet is attached.
“Malware authors are artificially pumping up the size of the document in order to try and fool or break security tools,” the security blog detailed.
“This is because the large file size may prove too difficult for the tools to get a handle on and properly analyse.”
Upon opening the attached file, a Word document opens.
With this particular scam, there is also a macro malware risk.
Malwarebytes Labs found that when opening the document, a security notification popped up that read: “Macros have been disabled.”
Macro malware is hidden in email attachments and ZIP files, like the one described above.
Previously, macros ran automatically to automate tasks for users.
However, Microsoft has disabled them by default in recent versions of Microsoft Office as it was frequently used by hackers to install malware.
In order for scammers to download their malicious software onto a victim’s device, they need to convince users to turn on the macros.
In the recent tax scam, the cybercriminals attempt to do so by issuing the following message:
“This document is protected. Previewing is not available for protected documents. You have to press ‘enable editing’ and ‘enable content’ buttons to preview this document.”
Doing so enables the macros and allows the Emotet malware to download onto the victim’s device.
Since 2014, Emotet has been one of the largest cyberthreats worldwide, and the Cybersecurity and Infrastructure Security Agency has labeled it “one of the most prevalent ongoing threats.”
If the malware is downloaded to your personal device, it could allow hackers access to personal data, such as banking information.
To avoid falling for a similar cyber scheme, there are several steps you can take:
- Be thorough in checking who the email is from
- Avoid clicking on suspicious links or documents
- Avoid opening emails from suspicious accounts with misspellings or false information
- Avoid clicking buttons with the phrase “enable content”
- Report any emails you are certain are spam to your provider
