Government is warning you about ‘dangerous’ Income Tax emails

Government is warning you about ‘dangerous’ Income Tax emails

Government of India’s nodal cybersecurity body, CERT-In, has issued a warning to citizens about a dangerous online campaign involving fake emails appearing to be sent from Indian Income Tax Department. As emails from the Income Tax department are taken seriously by citizens, hackers are trying to take advantage of this by pushing malware disguised as an email from the Income Tax department. Here is everything you need to know about these ‘dangerous’ emails

Loading...

These Income Tax emails have subject lines related to IT returns or statements

These Income Tax emails have subject lines related to IT returns or statements

According to Cert, in order to lure people these fake emails have these subject lines: ‘Important: Income Tax Outstanding Statements A.Y 2017-2018’ or ‘Income Tax statement’.

These ‘dangerous Income Tax’ emails started circulating around September 12

These ‘dangerous Income Tax’ emails started circulating around September 12

The fake income tax emails are usually sent from domain named ‘incometaxindia[.]info’

The fake income tax emails are usually sent from domain named ‘incometaxindia[.]info’

Two variants of these fake emails: Attachment with extension ‘.img’ and ‘.pif’ file

Two variants of these fake emails: Attachment with extension ‘.img’ and ‘.pif’ file

CERT-In has found two variants of fake emails. The first variant includes an attachment with extension “.img” which contains a malicious “.pif” file. The second variant lures the users to download a malicious “.pif” file hosted on a Sharepoint page via a link of fraudulent domain incometaxindia[.]info

Emails are aimed at stealing personal information, warns CERT-In

Emails are aimed at stealing personal information, warns CERT-In

According to CERT-In, the malicious attachments containing “.pif” files contact a Command and Control server to modify the Windows registry and try to steal user’s personal information.

The campaign is similar to the “Ave-Maria” malware observed earlier

The campaign is similar to the "Ave-Maria" malware observed earlier

This campaign is particularly dangerous because it has similarities with the “Ave-Maria” malware which came with DLL hijacking capability that allowed it to get advanced admin access and bypass traditional detection methods. This malware can also secretly download other plugins and malicious content.

It is highly recommended not to open documents from untrusted emails, also disable running macros in MS Office by default

It is highly recommended not to open documents from untrusted emails, also disable running macros in MS Office by default

CERT-IN is suggesting businesses to do these changes to prevent unauthorised access

CERT-IN is suggesting businesses to do these changes to prevent unauthorised access

CERT-In suggested users to restrict execution of Powershell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version of PowerShell with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.Implement application whitelisting/strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.

 

Source:- gadgetsnow

Share:

Loading...