Targeting Accounting Firms: The RAT Tax Scam
 

Tax Season: Stressful and Joyous

Many Americans breathe a sigh of relief as soon as they send off their tax returns. A weight is lifted from their shoulders, and they settle back into their routine of not worrying about taxes again for another year. For individuals, tax season can be stressful, or a welcome time of joy, depending on whether they owe or are getting a refund.

But, for accounting firms, especially those specializing in providing tax-filing assistance for individuals, the time of year known as tax season tends to be both stressful and joyous. Many of these firms earn the majority of their annual revenue during tax season, but they also are extremely busy, especially in the final weeks before the tax filing deadline.

Tax Preparers Are an Appealing and Easy Target

Busy, and perhaps a little distracted, is exactly how cybercriminals hope to find tax preparers each year. Whether it is a one-person CPA shop, or a huge multi-national firm, the potential rewards for attackers can be just as appealing. With U.S. accounting firms having generated $110 billion in 2020 alone, there is definitely enough potential reward on the table to attract the attention of bad actors.

During tax season, accountants are not only busy preparing returns, but they are also busy generating new business. Accountants tend to find most of their new clients during the busy tax season. Cybercriminals know this and are ready to take advantage of that knowledge, combining the distractions of the busy tax season with the fact that it is also the time of year when most new business is generated.

The RAT Tax Scam

One way that cybercriminals take advantage of distracted accountants during tax season is known as the RAT Tax Scam, affectionately named after the remote access trojan, or RAT, a piece of malware that once downloaded on a device, enables an attacker to take control of the device and monitor everything the user does, working silently in the background. Once the bad actor has control over the device, in most cases without the device’s user knowing, keystroke logging and screen shots are used to capture highly sensitive confidential information about not only the victim, but their clients as well.

How the RAT Tax Scam Works

Threat actors do a little research, find the email address of an accountant they want to target, and then send an email, inquiring about tax preparation services. The first email they send is usually harmless in terms of malware because they are just baiting the accountant to get a response. The threat actor is purposefully not including any identifiable traits of a phishing email to bypass security tools and to not arise any suspicion from the email recipient. By the initial email not triggering any red flags, the accountant tends to immediately let down their guard and accept that the inquiry is coming from a legitimate potential client.

The initial email will ask if the accountant is taking on new clients, maybe even pretending that they are in a jam because their regular tax preparer is retiring. The email sender offers to send the accountant their previous year’s return or other necessary information in a subsequent email if necessary.

The accountant receives this email during their busiest time of year when they are also actively seeking new clients to help build their business. The email appears completely legitimate and doesn’t appear to be out of the ordinary or suspicious at all. If all goes according to the threat actor’s plan, the accountant responds by saying they would be happy to provide their tax preparation services and may even ask the new client to send some documentation back via email.

Unfortunately, the second email from the cybercriminal posing as a new client is what gets the accountant on the hook. The second email contains a malicious link or a malicious document that quietly downloads the remote access trojan on to the account’s device. Attacks of these nature tend to rely on image files that appear to be scanned documents to deliver the malicious payload. The accountant clicks on a link or downloads a file, and within seconds, the cybercriminal is watching every move the account makes on the device, including entering passwords and typing in sensitive and personal client information such as home addresses, phone numbers, and social security numbers.

What Happens Next

Cybercriminals can use the stolen credentials to access bank accounts and other highly sensitive areas. They can also use these credentials to attempt to access and then exploit the systems the accountant uses to process their returns. These bad actors can also use their access to deploy ransomware, encrypting the accounting firm’s files until a ransom is paid.