You may have heard of the CEO scam : that ’ s where spear-phishers impersonate Attack.Phishing a CEO to hit up a company for sensitive information . That ’ s what happened to Snapchat , when an email came in Attack.Phishing to its payroll department , masked as Attack.Phishing an email from CEO Evan Spiegel and asking for employee payroll information . Here ’ s a turn of that same type of screw : the Internal Revenue Service ( IRS ) last week sent out an urgent warning about a new tax season scam that wraps the CEO fraud in with a W-2 scam , then adds a dollop of wire fraud on top . A W-2 is a US federal tax form , issued by employers , that has a wealth of personal financial information , including taxpayer ID and how much an employee was paid in a year . This new and nasty dual-phishing scam Attack.Phishing has moved beyond the corporate world to target nonprofits such as school districts , healthcare organizations , chain restaurants , temporary staffing agencies and tribal organizations . As with earlier CEO spoofing scams Attack.Phishing , the crooks are doctoring emails to make the messages look like Attack.Phishing they ’ re coming from Attack.Phishing an organization ’ s executive . Sending Attack.Phishing the phishing messages to employees in payroll or human resources departments , the criminals request a list of all employees and their W-2 forms . The scam , sometimes referred to as business email compromise (BEC) Attack.Phishing or business email spoofing (BES) Attack.Phishing , first appeared last year . This year , it ’ s not only being sent to a broader set of intended victims ; it ’ s also being sent out earlier in the tax season than last year . In a new twist , this year ’ s spam scamwich also features a followup email from that “ executive ” , sent to Attack.Phishing payroll or the comptroller , asking for a wire transfer to a certain account . Some companies have been swindled twice : they ’ ve lost both employees ’ W-2s and thousands of dollars sent out via the wire transfers .

Last week I ran across a very successful phishing campaign Attack.Phishing , what ’ s odd in most ways it was nothing special . The attacker was using this more like a worm , where stolen Attack.Databreach credentials would be used within the hour to start sending out Attack.Phishing a mass amount of more phishes Attack.Phishing . I 've decided to call this `` Dynamite Phishing Attack.Phishing `` because there is nothing quiet about this at all . It seems about 40 % of the credentials were used for more mailings , and the other account 's credentials had not been used . The initial phishes Attack.Phishing came in Attack.Phishing from a K12 domain from several affected individuals . The email subject was “ You have an Incoming Document Share With You Via Google Docs ” . The contents of the email were base64 encoded , while it appears to be common Content-Transfer-Encoding , it 's not something I typically run into especially when looking at Phishes . The link in the document went to `` hxxp : //bit.ly/2kZJbW3 '' which went to hxxp : //jamesrichardsquest.co.nf/lib The landing page was setup as a generic Outlook Web Access 2013 login page . It appears the EM_Client is a pretty popular email client , but it maybe something you can block on depending on your environment . user-agent : eM_Client/7.0.27943.0 While most people have good protections from Emails coming from external entities into their email environment , many don ’ t push the same protections intra-domain . The volume of email sent from Attack.Phishing the Phished accounts to other Internal accounts is what made this so successful