Sunday, February 9, 2025
Homecyber securityHackers Impersonate Top Tax Firm with 40,000 Phishing Messages to Steal Credentials

Hackers Impersonate Top Tax Firm with 40,000 Phishing Messages to Steal Credentials

Published on

SIEM as a Service

Follow Us on Google News

Proofpoint researchers have identified a marked increase in phishing campaigns and malicious domain registrations designed to exploit tax filing season.

These operations, targeting countries such as the UK, US, Switzerland, and Australia, leverage tax-related themes to dupe victims into divulging sensitive information or making fraudulent payments.

This surge in activity aligns with the yearly patterns seen from December to April, as businesses and individuals prepare their tax filings.

Attackers commonly impersonate tax agencies or financial institutions linked to tax-related engagements.

These phishing lures exploit the perceived authority of these organizations, making them effective tools for credential theft, financial fraud, and malware delivery.

Region-Specific Campaigns: UK, US, Switzerland, and Australia in Focus

In the UK, multiple campaigns have surfaced impersonating HM Revenue & Customs (HMRC).

One notable campaign, active since January 12, 2025, employed “account update” phishing emails, which redirected recipients to fake HMRC-branded credential harvesting sites.

Top Tax Firm
HMRC lure impersonating the agency and distributing credential phishing. 

The effort targeted several organizations, using sophisticated branding and language to appear legitimate.

In the US, hundreds of malicious domains have been linked to tax-themed phishing campaigns this January.

A notable example involved attackers impersonating Intuit’s QuickBooks with emails that falsely claimed users’ tax forms were rejected.

Victims were redirected to phishing pages impersonating Intuit to steal credentials.

This campaign alone sent over 40,000 fraudulent emails targeting more than 2,000 organizations.

Swiss organizations were also targeted in December 2024 through fraudulent emails purporting to be from the Federal Tax Administration.

These messages requested payments via a legitimate Revolut payment link.

Unlike other campaigns, this effort emphasized financial fraud rather than credential theft, coercing recipients into transferring CHF 102.50 to an attacker-controlled account.

In Australia, campaigns disguised as communications from myGov, the Australian government services portal, have been active since early January 2025.

These phishing efforts aimed to steal usernames, passwords, and multifactor authentication (MFA) details by redirecting victims to fake myGov portals.

Attackers also attempted to bypass detection systems using advanced anti-bot protection measures.

Tax-Themed Threats Evolve to Deliver Malware

Beyond credential theft and fraud, tax-themed lures have also been employed to deliver advanced malware.

On January 16, 2025, a campaign used fake tax software emails to distribute Rhadamanthys and zgRAT malware.

Top Tax Firm
Malicious email impersonating tax software.  

Hosted on Microsoft Azure, these attacks executed malicious PowerShell scripts to compromise systems.

Other recent campaigns have delivered malware such as MetaStealer, XWorm, AsyncRAT, and VenomRAT, further highlighting the diverse techniques employed by threat actors.

The reliance on authoritative branding and the time-sensitive nature of tax-related communications make these campaigns particularly effective.

Proofpoint emphasizes the importance of organizational training to recognize phishing attempts and common attacker tactics.

Proactive measures, such as monitoring domain impersonation efforts and bolstering email security systems, remain crucial in mitigating these growing threats.

As tax season continues, vigilance against these evolving threats is vital to safeguard sensitive information and financial resources from exploitation.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...