Beware: Sophisticated Phishing Attacks Impersonate Indian Income Tax Department to Target Businesses
Cybercriminals are increasingly exploiting the Income Tax Return (ITR) filing season to launch sophisticated phishing campaigns targeting Indian businesses. By capitalizing on the urgency and familiarity associated with tax compliance, these attackers craft convincing lures that mimic official communications from the Income Tax Department.
The Attack Strategy
The initial phase of this attack involves a spear-phishing email with the subject line Tax Compliance Review Notice, purportedly from the Income Tax Department. A closer examination reveals that the sender uses a suspicious Outlook[.]com address instead of an official government domain. Notably, the email body contains no actual text; instead, it features a single embedded image designed to resemble a genuine notice, effectively bypassing standard text-based spam filters. This tactic creates a false sense of urgency by referencing fabricated deadlines and compliance failures.
Recipients are directed to open an attachment named Review Annexure.pdf, which mimics a legitimate tax document. This PDF contains a malicious link directing users to a fraudulent compliance portal. Upon visiting this portal, users are prompted to download a ZIP archive and are instructed to disable their antivirus software under the guise of compatibility issues.
Infection Mechanism and Persistence
The technical sophistication of this campaign becomes evident once the victim engages with the downloaded payload. The infection process utilizes a two-stage NSIS installer that unpacks multiple files to establish a foothold on the victim’s machine. The malware does not merely steal data; it installs a persistent service named NSecRTS.exe to ensure it runs automatically in the background. This service communicates with Command and Control (C2) servers over non-standard ports, such as 48991 and 48992.
Researchers noted that technical indicators, including Simplified Chinese language usage and specific code-signing certificates, suggest the tooling originated from a China-linked development environment. This transformation from a simple phishing email to a fully operational Remote Access Trojan (RAT) highlights the critical need for vigilance against such multi-stage threats.
Broader Context and Implications
This campaign is part of a broader trend where cybercriminals exploit tax-related themes to target individuals and businesses. For instance, the Drinik Android malware has been impersonating the Income Tax Department to target customers of at least 18 Indian banks, including the State Bank of India. Drinik has evolved from an SMS stealer in 2016 to a full-fledged Android banking trojan equipped with keylogging, screen recording, and overlay attack capabilities. It masquerades as India’s official tax management app to capture victims’ personal and financial information.
The Income Tax Department has issued public advisories cautioning taxpayers, especially senior citizens, against fraudulent emails, SMS messages, and websites impersonating the Department to steal personal and financial information. Taxpayers are urged to remain vigilant and verify the authenticity of all communications claiming to be from tax authorities. The Department has reiterated that taxpayers should access tax-related services only through the official portal https://www.incometax.gov.in.
Recommendations for Businesses and Individuals
To protect against such sophisticated phishing attacks, businesses and individuals should:
1. Verify Communication Sources: Always check the sender’s email address and website domain carefully before clicking on any link. Official communications from the Income Tax Department will come from domains ending in @incometax.gov.in.
2. Avoid Clicking on Suspicious Links: Do not click on links or download attachments from unexpected messages. Instead, manually type the official URL into your browser.
3. Be Cautious with Personal Information: The Income Tax Department never asks for OTPs, passwords, or confidential personal information via email, SMS, or phone calls.
4. Report Suspicious Activity: Forward suspected phishing emails to [email protected], with a copy to [email protected], the national cyber incident response agency.
5. Keep Security Software Updated: Use anti-virus software, anti-spyware, and a firewall, and keep them updated to protect against malware infections.
By staying informed and vigilant, businesses and individuals can better protect themselves against these evolving cyber threats.
