Attacks/Breaches
3/23/2016
11:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

IRS Tax Fraud And Phishing Advances

New techniques and automation have bad guys making more money than ever off of unsuspecting taxpayers.

Internal Revenue Service (IRS) tax phishing and fraud is hardly a new thing, but this is the year that criminals are taking it to the next level, according to a number of researchers who have been keeping tabs on phishing activity and wares sold on the Dark Web.

"Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart," writes Proofpoint researchers in a recent report on tax fraud trends.

For years now, attackers have taken advantage of the sense of urgency that tax-related matters have for most US computer users during tax season to create convincing lures that look like messages from the IRS or tax preparers in order to get victims to give away sensitive information. Now, they're perfecting their techniques.

For example, in one instance, Proofpoint spotted a mobile-optimized phishing site designed to mimic tax software, specifically seeking to dupe users who lean more heavily on their mobile devices than PCs these days. Attackers are also also taking advantage of the phone to conduct voice-phishing, or vishing, attacks on users, says Adam Meyer, chief security strategist for SurfWatch. Meyers says his research has seen a surge in tax-related vishing attacks this year. Where they're upping the game on this front is in who they target, he says.

"They’re filtering by name people who tend to have a foreign name to exploit their lack of English skills as well as the fact they likely they don’t understand our tax system as well as people who have grown up with it," he says.

More costly for taxpayers, both individually and as a group paying the IRS' bills, is the increasing use of stolen information to commit tax refund fraud. The last few years has seen attackers ramping up the abuse of the the IRS' electronic filing PIN verification system in order to file a fake return under a victim's identity and have that sent to a fraudulent bank account. The information requested by the IRS to grant these E-PINs is typically of the sort trivial for identity thieves to acquire.

According to a public service announcement from the FBI today, Stolen Identity Refund Fraud (SIRF) is on the rise, and typically targets temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas -- all individuals less likely to keep close tabs on their identity details or tax return status.

And according to a new report out by fraud prevention firm Iovation, the strain of fraudulent returns meant to steal imaginary refunds using stolen identities is evident in the time it takes the IRS to review returns and issue refunds. That time has lengthened threefold in the past year.

"Many victims of SIRF do not know they have been targeted until they try to file their legitimate tax return," the FBI warned. "Many also receive notifications in the mail that their returns are being audited or are under review before they have even filed their tax returns."

According to Meyer, where the bad guys are honing their skills is in the automation of the generation of E-PINs and filing of fraudulent returns.

"There’s no authentication step before entering your data in, so this year automation has kicked in where they can point a bot at this [IRS] page, throw a database of stolen identities at it, generate thousands of E-PINS, and then go ahead and use that to file submissions within January before everyone gets their W2s," he explains

Even more troubling is the fact that enterprising criminals are commercializing the tools and educational materials meant to enable others to perpetrate tax fraud and phishing. According to Proofpoint, this year has seen a huge maturation of IRS phishing kits made to help bad guys automatically produce convincing tax-related phishing lures. And similarly, Meyer says the Dark Web is now full of one-off tools, kits, and even educational ebooks meant to help criminals learn how to commit SIRF at scale.

"It looks like they're way more turnkey this year," he says.

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.