Attacks/Breaches

3/23/2016
11:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

IRS Tax Fraud And Phishing Advances

New techniques and automation have bad guys making more money than ever off of unsuspecting taxpayers.

Internal Revenue Service (IRS) tax phishing and fraud is hardly a new thing, but this is the year that criminals are taking it to the next level, according to a number of researchers who have been keeping tabs on phishing activity and wares sold on the Dark Web.

"Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart," writes Proofpoint researchers in a recent report on tax fraud trends.

For years now, attackers have taken advantage of the sense of urgency that tax-related matters have for most US computer users during tax season to create convincing lures that look like messages from the IRS or tax preparers in order to get victims to give away sensitive information. Now, they're perfecting their techniques.

For example, in one instance, Proofpoint spotted a mobile-optimized phishing site designed to mimic tax software, specifically seeking to dupe users who lean more heavily on their mobile devices than PCs these days. Attackers are also also taking advantage of the phone to conduct voice-phishing, or vishing, attacks on users, says Adam Meyer, chief security strategist for SurfWatch. Meyers says his research has seen a surge in tax-related vishing attacks this year. Where they're upping the game on this front is in who they target, he says.

"They’re filtering by name people who tend to have a foreign name to exploit their lack of English skills as well as the fact they likely they don’t understand our tax system as well as people who have grown up with it," he says.

More costly for taxpayers, both individually and as a group paying the IRS' bills, is the increasing use of stolen information to commit tax refund fraud. The last few years has seen attackers ramping up the abuse of the the IRS' electronic filing PIN verification system in order to file a fake return under a victim's identity and have that sent to a fraudulent bank account. The information requested by the IRS to grant these E-PINs is typically of the sort trivial for identity thieves to acquire.

According to a public service announcement from the FBI today, Stolen Identity Refund Fraud (SIRF) is on the rise, and typically targets temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas -- all individuals less likely to keep close tabs on their identity details or tax return status.

And according to a new report out by fraud prevention firm Iovation, the strain of fraudulent returns meant to steal imaginary refunds using stolen identities is evident in the time it takes the IRS to review returns and issue refunds. That time has lengthened threefold in the past year.

"Many victims of SIRF do not know they have been targeted until they try to file their legitimate tax return," the FBI warned. "Many also receive notifications in the mail that their returns are being audited or are under review before they have even filed their tax returns."

According to Meyer, where the bad guys are honing their skills is in the automation of the generation of E-PINs and filing of fraudulent returns.

"There’s no authentication step before entering your data in, so this year automation has kicked in where they can point a bot at this [IRS] page, throw a database of stolen identities at it, generate thousands of E-PINS, and then go ahead and use that to file submissions within January before everyone gets their W2s," he explains

Even more troubling is the fact that enterprising criminals are commercializing the tools and educational materials meant to enable others to perpetrate tax fraud and phishing. According to Proofpoint, this year has seen a huge maturation of IRS phishing kits made to help bad guys automatically produce convincing tax-related phishing lures. And similarly, Meyer says the Dark Web is now full of one-off tools, kits, and even educational ebooks meant to help criminals learn how to commit SIRF at scale.

"It looks like they're way more turnkey this year," he says.

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.