New scam impersonates VAT form to deliver malware
Advisers aren’t alone in noticing a “very active” VAT man, as the belief that HMRC is increasingly finding fault with VAT returns is being relied on by gangs trying to hijack PCs.
In a new scam impersonating a HMRC VAT form, malware authors are using a registered HMRC-like domain to send out spoof emails that give the illusion that a VAT return is attached.
The scammer’s message -- complete with the usual grammatical slips, reads: “Thank you for sending you VAT Return Online but there some queries about your submission.”
Marginally more legitimate-sounding and without any slips, the follow-up sentence states: “Kindly review the outlined errors in the attached document, correct and resubmit.”
The illusion of the attached 'VAT Return Query.pdf' is achieved using an embedded HTML image that is rigged with a URL that points to a Microsoft OneDrive file-sharing service.
Clicking on the link points the browser to the OneDrive service and automatically downloads the file, ‘VAT RETURN QUERY.ZIP.’
But according to cyber security firm Trustwave, unzipping it unleashes a well-known Java RAT Trojan that provides the scammers “complete” remote control over the recipient’s computer.
“[The senders are] aware of various deadlines such as those…for tax returns,” the firm said. “We have witnessed an increase in phishing campaigns using Microsoft services”.
It advised taxpayers to be “particularly careful,” partly because the messages are from “ HMRC Business Help and Support Email,” compared to the Revenue’s official “HMRC Business Help and Support Emails,” which the department uses for genuine VAT-related communications.