Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/23/2016
11:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

IRS Tax Fraud And Phishing Advances

New techniques and automation have bad guys making more money than ever off of unsuspecting taxpayers.

Internal Revenue Service (IRS) tax phishing and fraud is hardly a new thing, but this is the year that criminals are taking it to the next level, according to a number of researchers who have been keeping tabs on phishing activity and wares sold on the Dark Web.

"Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart," writes Proofpoint researchers in a recent report on tax fraud trends.

For years now, attackers have taken advantage of the sense of urgency that tax-related matters have for most US computer users during tax season to create convincing lures that look like messages from the IRS or tax preparers in order to get victims to give away sensitive information. Now, they're perfecting their techniques.

For example, in one instance, Proofpoint spotted a mobile-optimized phishing site designed to mimic tax software, specifically seeking to dupe users who lean more heavily on their mobile devices than PCs these days. Attackers are also also taking advantage of the phone to conduct voice-phishing, or vishing, attacks on users, says Adam Meyer, chief security strategist for SurfWatch. Meyers says his research has seen a surge in tax-related vishing attacks this year. Where they're upping the game on this front is in who they target, he says.

"They’re filtering by name people who tend to have a foreign name to exploit their lack of English skills as well as the fact they likely they don’t understand our tax system as well as people who have grown up with it," he says.

More costly for taxpayers, both individually and as a group paying the IRS' bills, is the increasing use of stolen information to commit tax refund fraud. The last few years has seen attackers ramping up the abuse of the the IRS' electronic filing PIN verification system in order to file a fake return under a victim's identity and have that sent to a fraudulent bank account. The information requested by the IRS to grant these E-PINs is typically of the sort trivial for identity thieves to acquire.

According to a public service announcement from the FBI today, Stolen Identity Refund Fraud (SIRF) is on the rise, and typically targets temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas -- all individuals less likely to keep close tabs on their identity details or tax return status.

And according to a new report out by fraud prevention firm Iovation, the strain of fraudulent returns meant to steal imaginary refunds using stolen identities is evident in the time it takes the IRS to review returns and issue refunds. That time has lengthened threefold in the past year.

"Many victims of SIRF do not know they have been targeted until they try to file their legitimate tax return," the FBI warned. "Many also receive notifications in the mail that their returns are being audited or are under review before they have even filed their tax returns."

According to Meyer, where the bad guys are honing their skills is in the automation of the generation of E-PINs and filing of fraudulent returns.

"There’s no authentication step before entering your data in, so this year automation has kicked in where they can point a bot at this [IRS] page, throw a database of stolen identities at it, generate thousands of E-PINS, and then go ahead and use that to file submissions within January before everyone gets their W2s," he explains

Even more troubling is the fact that enterprising criminals are commercializing the tools and educational materials meant to enable others to perpetrate tax fraud and phishing. According to Proofpoint, this year has seen a huge maturation of IRS phishing kits made to help bad guys automatically produce convincing tax-related phishing lures. And similarly, Meyer says the Dark Web is now full of one-off tools, kits, and even educational ebooks meant to help criminals learn how to commit SIRF at scale.

"It looks like they're way more turnkey this year," he says.

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
CVE-2020-9432
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9433
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9434
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-6383
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.