Fake IRS Document Scam Being Sent To Unsuspecting People 

(Republicaninformer.com)- U.S. taxpayers are targeted by a new Emotet phishing racket mimicking IRS and W-9 tax forms. Emotet is a computer malware program written as a “Trojan Horse” that will get into your computer and steal your information. 

The notorious virus was installed using phishing emails, including Microsoft Word and Excel documents with harmful macros. 

Emotet used Microsoft OneNote files with integrated scripts to spread its malware since Microsoft banned macros in downloaded Office documents. 

Emotet takes emails for reply-chain attacks, delivers spam, and installs malware that allows early access to threat actors like ransomware gangs. 

During holidays and corporate occasions like tax season, emotet malware campaigns use themed phishing efforts. 

Emotet malware and fake W-9 tax form attachments were identified in new phishing scams by Malwarebytes and Palo Alto Networks Unit42. In Malwarebytes’ scheme, threat actors impersonating IRS “Inspectors” send “IRS Tax Forms W-9” emails. 

‘W-9 form.zip’ contains a malicious Word document in these phishing emails. It’s above 500MB to avoid security detection. Users are less likely to activate macros and infect Word documents since Microsoft prohibits them by default. 

In a Unit42 phishing campaign, threat actors installed Emotet malware using Microsoft OneNote pages with embedded VBScript files. Reply-chain emails masquerading as business partners delivering W-9 Forms are used in this phishing effort. 

Double-click “View” to view the related OneNote documents. Instead of View, the VBScript starts. 

Launching the embedded VBScript file may be harmful, according to Microsoft OneNote. Unfortunately, many individuals ignore these warnings and run the files. 

VBScript uses regsvr32.exe to download and launch Emotet DLL. 

Now the malware stealthily steals emails and contacts and waits for more payloads. 

Scan W-9 and tax form emails using your local antivirus software. Due to their sensitivity, uploading these forms to VirusTotal is not suggested. 

Tax forms should not be opened using macros—usually PDFs. 

Finally, delete the email without reading it since tax forms are unlikely to be OneNote documents. 

As always, discard emails from strangers and phone them first to confirm.