How to defend yourself against TaxOlolo, a virus disguised as a tax bill

Detected by the Bologna-based Yoroi, it has infected PCs of large Italian companies and public bodies. At the moment, its behavior is still not very clear

Exploiting a little bit "the surprise effect" and a little bit a flawless work done at the social engineering level, in a few days the hackers managed to hit important Italian companies and public bodies. In the list of victims (about 80, until a few days ago), in fact, we find ACI, Fineco and Autostrade, in addition to the municipalities of Brescia and Bologna, the Ministry of the Interior and the Chamber of Deputies.

In short, big names for a hacker attack that, at the moment, still has many points to clarify. Of TaxOlolo (this is the name of the malware responsible of the cyberoffensive), in fact, we still have to understand some mechanisms and, above all, the effects. The experts of Yoroi, the computer security company that discovered the malicious software, are still analyzing its functioning in depth and do not want to let themselves go to hasty conclusions. What is certain is that this is not a "study" attack: hackers wanted to strike to do harm.

How TaxOlolo attacks

TaxOlolo is rapidly spreading via email disguised - as the name suggests - as a tax bill. The email messages are presented with objects such as "Tax Codes Advances" or even "F24 Advances-Tax Code 4034". And if at first glance they seem like random names, that's not the case at all: these are codes for tax forms known to those who work in the administrations of large companies or public bodies. In short, it is a targeted and well-constructed phishing attack, aimed at attacking the administrative departments of large Italian companies or public bodies.

The TaxOlolo attack, however, is only effective if you open the link in the body of the email text: the "1t.exe" file will be downloaded on the victim's PC, which will install itself and open the door to a malware of the GootKit family. At the moment, it is still unclear what the purpose of the attack is, with Yoroi cybersecurity researchers trying to figure out what the effects of the malware are.

How to defend yourself against TaxOlolo

Unfortunately, the hackers made a small mistake. Despite the fact that the mail messages are perfect (both in the subject line and in the body of the text), the sender's address is "in the clear" and allows you to understand that this is a phishing attack. If you look at the address of the sender of the tax bill, you will see that it is "[email protected]" or "[email protected]": obviously not connected in any way with the Tax Agency or whoever it may be.

In short, you just need to pay a little attention to avoid falling into the trap of hackers and thus avoid infecting your PC with malware linked to TaxOlolo. You should also remember not to open any link or attached file unless you are sure about the sender: in case of any doubts, it is always better to avoid doing actions you may soon regret.