Fake IRS “Intent to Seize Refund” Scam Really Wants to Seize Your Bank Account

Everyone probably looks in their spam folder at some time or other. You never know when something from a long lost friend may have been incorrectly placed there. I’ve had it happen. While there, you are likely to see subject headers that may peak your interest. And what if one of those headers reads, “Internal Revenue Service Important Notification” or “Internal Revenue Service Final Notice”? Would you ignore it or would you want to take a look, just to make sure? It’s a hard call, especially during tax season.

So, imagine that you take a look and see the following.
irs email scam
On the surface, it looks legitimate. You may wonder if you actually do owe some money. Maybe there’s some mistake you made in your tax return. In any event, you may be tempted to click on the link to your billing information.

But, you know that there are dangers in clicking on such links and maybe you’ve learned that you can hover the cursor over the link to see what address it resolves to. In the above email, you will see this if you do so.

irs hover cursor

The ‘removed’ sections of the link would be an encoded representation of the victim’s email address. Nonetheless, you should be able to see that this link looks fake. This is the least sophisticated part of the hack. If they wanted to, they could have at least hidden the URL behind a short link, A more sophisticated hack would employ a mock IRS URL, but these malspam attempts are usually done in bulk and take advantage of any vulnerable URLs that they can find. They are hoping you will simply click on the link in an attempt to get to the data that you want to see.

So, let’s suppose that you simply want to see the information and you click on the link. Before you actually get to the page, you will see a popup asking if you want to open a certain document. Interestingly, the document may even have your name or email address in the title. So, for example, if your name was, Smith, you may see the following when you arrive at the linked page.

irs link popup

Again, you’d still have to overlook the website that the document was being downloaded from, especially, as in the example above, it seemed to come from a site that had nothing at all to do with the IRS. There may be a way for the hackers to write some code that will put IRS information into the URL address, but I’m not aware of it and the attackers do not use it in their campaign. They really don’t care about the details. They just need a few careless people to keep the money rolling in.

So, let’s imagine, that, for whatever reason, you agree to the download of the document that appears to have been prepared for you. Sadly, you will find that it does not open as easily as you would hope. You will be given a notification which will look something like this.

macro

At this point, your antivirus software will probably kick in. Mine did. It recognized that Hancitor malware was trying to get onto my computer. The malware needs you to enable macros, which, for the most part, is something you shouldn’t do. If you have your settings set for allowing macros, change that setting. (Tools/Macros/Security). But, for the purposes of this narrative, let’s assume that you don’t have your settings set to prevent macros from opening automatically or you decide to enable macros for this document. Remember, ostensibly, you still want to find out why the IRS thinks you owe them money. In any event, allowing the document to open will install the malware. (Note: Recent attacks have tried to exploit RTF files.)

Once activated, Hancitor will download the following malware.

hancitor malware

Actually, other types of malware have been downloaded at this stage, including spambots. Both Pony and Evil Pony Malware are password stealers. Zeus Panda will attempt to steal your banking information and it will do a good job doing so. It is very difficult to discover once it is installed.

In short, Hancitor Malware is well-known for taking advantage of certain conditions to push itself on unsuspecting victims. During holidays, it will push notices of package deliveries. Now, it is tax season so the attackers hope more attention will be paid to any email, spam or not, that may appear to come from the IRS, even though the IRS never sends email notifications to taxpayers.

The truth is that only a series of blunders on the part of users would allow Hancitor to install itself on a victim’s machine, yet, Hancitor continues its attacks. Most attacks come from servers in these countries.

hancitor distribution

In fact, new attacks are being used which bypass the ‘enable macros’ technique. These exploits use something called a DDE (Microsoft Dynamic Data Exchange) attack. This will link information in a legitimate Word document to a malicious program. If such an exploit is used, Word will give you this notification.

hancitor notification

Clicking ‘Yes’ releases the malware. Since the Word document is legitimate, you will not be asked to enable macros.

Since DDE is part of Microsoft Word’s normal architecture, it will not trigger any antivirus actions. You will normally only see the above notice. So, expect Hancitor to claim more victims as time goes by. Hancitor will continue to survive due to extensive spamming which takes advantage of current news stories or seasonal events. It is easily avoided, however, so if you adhere to the safe browsing principles outlined above, it needn’t be a serious problem. That said, there will still be those who open their bank accounts to find they no longer contain any money; and that’s a hard way to learn a lesson in cybersecurity.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technologies, TrustWall and Mobile bare-metal virtualization. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s