#NSBCS.078 - Don’t get caught in the tax time rush!

Don’t get caught in the tax time rush!

It's that time of the year again, as we near the end of financial year and start to prepare our tax returns, an opportunity arises for attackers to inject themselves into the equation and trick you into paying your cash into their pockets, making a fraudulent tax return, or stealing your personal information (which can be used later for fraudulent activities).

Australian Taxation Office (ATO) scams are up 300% from last year, and are a good example of how scammers prey on our social behaviours to get what they want.

• We all have to file a tax return, so there is an expectation that we may get a notification from the ATO;

• Not all of us know how to do our taxes properly, but we all think the big bad tax person will come after us if we've done it wrong;

• They originate from many forms of communication: Email, SMS, Phone calls and through Social Media. While we don't expect them to contact us on Social Media, we do expect them to notify us through our contact details, typically Email, SMS and via the Phone; and

• If you've never had to pay back your taxes, you probably don't know what the process for paying those taxes are.

Sometimes these scams seem "obvious", but the reality is that these scams do work, so we should not be blaming those who do fall victim to them. Instead, focus on promoting the awareness of and educating everyone around on how they can identify when they are in a fishy situation: by teaching them to recognise red flags like unsolicited requests for personal information, overly urgent demands, or suspicious links, and encouraging proactive steps such as verifying sources, using strong passwords, and staying informed about common scam tactics:

• Never share your personal information such as your login, password and TFN - especially when someone has contacted you first;

• If there's gift cards involved, stop all communications;

• When in doubt, phone the legitimate ATO contact number from their website (ato.gov.au);

• Do not click on any links or download attachments;

• Remember, you can check your account for legitimate notifications by typing the MyGov (my.gov.au) or ATO websites into your browser; and

• If a payment was made, contact your bank immediately to report the scam.

While these scams may seem “obvious” to some, they can catch others off guard. This tax season, take a moment to check-in with friends and family to help keep them safe. For more ways to stay protected, the ATO offers valuable resources and tips on spotting scams and safeguarding your personal information.

Resources:

• https://www.ato.gov.au/businesses-and-organisations/business-bulletins-newsroom/scam-emails-real-consequences

• https://www.ato.gov.au/online-services/scams-cyber-safety-and-identity-protection/verify-or-report-a-scam

What we read this week

• FIN6 Hackers Pose as Job Seekers to Backdoor Recruiters’ Devices - The FIN6 hacking group, known for financial fraud and ransomware, is now impersonating job seekers to target recruiters with malware-laced phishing campaigns. Instead of posing as employers, FIN6 approaches HR staff via LinkedIn or Indeed, sharing convincing but malicious “resume” websites hosted on AWS and registered anonymously. These phishing emails include non-clickable links to avoid detection and lead to sites that use fingerprinting and behavioural checks to display malicious content only to specific targets. After passing a fake CAPTCHA, victims are tricked into downloading a ZIP file containing a disguised shortcut that installs a modular backdoor known as More Eggs, which enables credential theft and further system compromise. To counter this, recruiters should be wary of unsolicited resume links and verify applicants’ identities independently before engaging further.

• Hackers Exploited Windows WebDav Zero-Day to Drop Malware - The APT group known as ‘Stealth Falcon’ has exploited a zero-day Windows vulnerability (CVE-2025-33053) since March 2025 in targeted attacks on defence and government organisations in the Middle East. The flaw allows remote code execution via WebDAV by tricking Windows tools like **iediagcmd.exe into launching malicious executables from a remote server, using a crafted .url file. This technique enables stealthy attacks without dropping local files, ultimately deploying a multi-stage loader called ‘Horus Loader’. Check Point Research identified the attempted attacks and found additional tools like a keylogger, credential dumper, and passive backdoor in the infection chain. Microsoft has patched the issue, and organisations are urged to update immediately or monitor WebDAV traffic if patching isn’t feasible.

• Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks - Former Black Basta affiliates are continuing their attacks using familiar methods like email bombing and Microsoft Teams phishing, now enhanced with Python scripts delivered via cURL for deploying malicious payloads. ReliaQuest observed that many Teams phishing attacks between February and May 2025 originated from onmicrosoft[.]com domains or breached domains, making them appear legitimate and harder to detect. These attacks often impersonate help desk staff to gain user trust and leverage tools like Quick Assist or AnyDesk to establish remote access, followed by Python-based command-and-control (C2) activity.

• InfoStealer Ring Bust-up Takes Down 20,000 Malicious IPs - Interpol, through its Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) Project, led a major international crackdown called Operation Secure, which resulted in the arrest of 32 suspects and the seizure of 41 servers and over 100GB of data. The operation involved 26 countries and support from cybersecurity firms like Group-IB, Kaspersky, and Trend Micro, and managed to neutralise 79% of known malicious IP addresses. Vietnamese authorities arrested 18 key members of the cybercrime ring, including the ringleader, while other arrests were made in Sri Lanka and Nauru. The group had been running a malware-as-a-service operation using infostealers such as Lumma, Risepro, and Meta Stealer to steal browser data, credit card details, and cryptocurrency wallet information via phishing and social media scams.

• Misconfigured HMIs Expose US Water Systems to Anyone With a Browser - A security investigation by Censys uncovered that hundreds of control-room dashboards for United States (U.S.) water utilities were accessible online, with dozens allowing full control without any password protection. The discovery stemmed from a TLS certificate containing the word "SCADA," leading researchers to browser-based HMI platforms displaying real-time data from municipal water-treatment facilities. HMIs are software or device interfaces such as touchscreens or keyboards that allow operators to monitor and control industrial systems like SCADA, often remotely These systems were categorised into three types: authenticated (credentials required), read-only (viewable without control), and unauthenticated (full access without credentials). This discovery aligns with previous warnings from the environmental protection agency (EPA) and the cybersecurity and infrastructure security agency (CISA), who have stressed that insecure internet-exposed HMIs in the water sector can be easily exploited by cybercriminals, as seen in attacks by pro-Russia hacktivists in 2024.

References
https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-seekers-to-backdoor-recruiters-devices/
https://www.bleepingcomputer.com/news/security/stealth-falcon-hackers-exploited-windows-webdav-zero-day-to-drop-malware/
https://thehackernews.com/2025/06/former-black-basta-members-use.html
https://www.darkreading.com/threat-intelligence/infostealer-ring-bust-20000-malicious-ips
https://www.securityweek.com/misconfigured-hmis-expose-us-water-systems-to-anyone-with-a-browser/