Someone's Spreading Ransomware by Pretending to be the IRS

There's a threat actor who was recently discovered who is pretending to be the IRS in order to spread ransomware. The email has been shared online and the body of the phishing email reads as follows:

“The Internal Revenue Service (IRS) is the revenue service of the United States government. The government agency is a bureau of the Department of the Treasury. The IRS is responsible for collecting taxes and administering the Internal Revenue Code, the federal statutory tax law of the U.S. Our duty is to maximize tax revenue, as well as pursuing and resolving instances of erroneous or fraudulent tax filings.

Owing to changes of tax laws of the United States of America of June 21, 2017, any business activity of resident or non-resident citizens of the United States of America abroad, in particular the belonging of offshore companies, equity participation and offshore capitals, is transferred under special control of the Federal Bureau of Investigation.

FBI requires a completed questionnaire here with absolutely reliable information. The questionnaire should be printed, filed out, and signed in the specified places, scanned and sent within 10 days from the reception of this letter.”

Given what's available on the Dark Web, and Microsoft's dominant market share on the desktop, the ransomware likely exploits Windows vulnerabilities.

How to Spot Suspicious Messages

In 2017, I hope that most Americans are aware that if the IRS wanted documentation from them, they would contact you by snail mail or ask you to visit their website to download a PDF from there. If the FBI is investigating you, if you were ever notified, it'd likely be through law enforcement. The FBI certainly doesn't investigate financial fraud by contacting their suspects through the IRS like this. And the FBI doesn't do any of the IRS's routine work, either.

Bottom line: The FBI doesn’t send emails.

Still, many people are terrified of authority and attackers know and exploit this as a form of social engineering in order to get what they want from the victim. After all, who wants to be pursued for owing hundreds of thousands of dollars, or worse, go to prison?

What the IRS Says About This Latest Attack

“This is a new twist on an old scheme. People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call,” IRS Commissioner John Koskinen said.

About a month ago, the IRS released recommendations for dealing with ransomware. That effort is a part of their “Don't Take The Bait” campaign.

I think their advice is excellent. Here's some of it:

  • Make sure employees are aware of ransomware and of their critical role in protecting the organization’s data.
  • For digital devices, ensure that security patches are installed on operating systems, software and firmware. This step may be made easier through a centralized patch management system.
  • Ensure that antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts — no users should be assigned administrative access unless necessary, and only use administrator accounts when needed.
  • Configure computer access controls, including file, directory and network share permissions, appropriately. If users require read-only information, do not provide them with write-access to those files or directories.
  • Disable macro scripts from office files transmitted over email.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers, compression/decompression programs.
  • Back up data regularly and verify the integrity of those backups.
  • Secure backup data. Make sure the backup device isn’t constantly connected to the computers and networks they are backing up. This will ensure the backup data remains unaffected by ransomware attempts.

Reporting

If you notice a scam related to IRS impersonation, please email phishing@irs.gov.

If you are the victim of a ransomware attack, whether or not it involves impersonating a U.S. government agency, report it to the FBI through the Internet Crime Complaint Center.