Don’t Get Tricked by TrickBot!

As we near Tax Day, a potent, tax-themed malware campaign is heating up, looking to snare unwary filers.

TrickBot, data-nabbing malware

Tax season can certainly be a stressful period. Filling out forms chockful of fields and rifling through boxes trying to find the final receipts needed for your HSA claim can leave you frazzled. Hackers are banking on this and the fact that financial forms and tax correspondence have a high chance of catching your eye when you’re scanning your inbox and separating the wheat from the chaff.

TrickBot, developed in 2016, is a fairly recent trojan that infects Windows PCs. It targets banks, purloins sensitive data and credentials, and can even steal from Bitcoin wallets. Needless to say, the TrickBot masterminds are financially motivated. They show a flair for constant innovation in the way of new features and enhancements in their product, and that’s bad news for computer users.

Ever-evolving social engineering

This latest tax season TrickBot campaign utilizes malspam and social engineering to trick filers into opening the attached malicious Excel document. The email may appear to come from ADP, Paychex, Intuit, or even the IRS itself.

Attackers are getting better at making their malicious replicas look authentic. However, with careful scrutiny, one will likely notice the hallmarks of malicious correspondence. Many attackers are foreign, thus there’s typically a sprinkling of grammatical errors or awkward phrasing.

One should also examine the email sender address. See a fishy-sounding or outright cryptic domain? Steer clear from that email.

TrickBot infection: hard to detect

TrickBot is a bundle of modules, each with its own specialty, such as propagation, encryption, and credential theft.

After infecting the computer, the malware will look for targets in the network. Financial information, tax documents, and account credentials are located and sent back to the attackers.

The average user may not even be aware their system has been infected. Astute network admins, however, will more than likely notice some abnormal activity in the form of unusual traffic and attempts by the malware to communicate with the TrickBot command and control servers.

Staying safe

Even if things look legit in an email, you may still have a funny feeling about it. If that’s the case, trust your instincts. Get the advice of your IT department or managed security provider before proceeding further.

Alternatively, you can reach out to the sender via another channel: a separate email, a contact form on the company’s website, or a phone call.

“If you own a business, network security is an absolute must,” said Brian Walker. “Since there’s no single piece of hardware or software that can block all possible threats, layering up your defensive measures is a good policy.”

“Thrive provides many security services to help keep your data safe,” said Aaron Allen. “Thrive provides proactive IT monitoring to detect unusual network activity. InDefend, one of our newer products, helps block communication to the dark web and malware command and control servers by protecting at the DNS level. Our mature business continuity service, is the perfect last line of defense, allowing you to restore data in the event of total network disaster.”

“Thrive will handle all your IT and network security for one fixed fee. Contact us today.”