Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/23/2016
11:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

IRS Tax Fraud And Phishing Advances

New techniques and automation have bad guys making more money than ever off of unsuspecting taxpayers.

Internal Revenue Service (IRS) tax phishing and fraud is hardly a new thing, but this is the year that criminals are taking it to the next level, according to a number of researchers who have been keeping tabs on phishing activity and wares sold on the Dark Web.

"Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart," writes Proofpoint researchers in a recent report on tax fraud trends.

For years now, attackers have taken advantage of the sense of urgency that tax-related matters have for most US computer users during tax season to create convincing lures that look like messages from the IRS or tax preparers in order to get victims to give away sensitive information. Now, they're perfecting their techniques.

For example, in one instance, Proofpoint spotted a mobile-optimized phishing site designed to mimic tax software, specifically seeking to dupe users who lean more heavily on their mobile devices than PCs these days. Attackers are also also taking advantage of the phone to conduct voice-phishing, or vishing, attacks on users, says Adam Meyer, chief security strategist for SurfWatch. Meyers says his research has seen a surge in tax-related vishing attacks this year. Where they're upping the game on this front is in who they target, he says.

"They’re filtering by name people who tend to have a foreign name to exploit their lack of English skills as well as the fact they likely they don’t understand our tax system as well as people who have grown up with it," he says.

More costly for taxpayers, both individually and as a group paying the IRS' bills, is the increasing use of stolen information to commit tax refund fraud. The last few years has seen attackers ramping up the abuse of the the IRS' electronic filing PIN verification system in order to file a fake return under a victim's identity and have that sent to a fraudulent bank account. The information requested by the IRS to grant these E-PINs is typically of the sort trivial for identity thieves to acquire.

According to a public service announcement from the FBI today, Stolen Identity Refund Fraud (SIRF) is on the rise, and typically targets temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas -- all individuals less likely to keep close tabs on their identity details or tax return status.

And according to a new report out by fraud prevention firm Iovation, the strain of fraudulent returns meant to steal imaginary refunds using stolen identities is evident in the time it takes the IRS to review returns and issue refunds. That time has lengthened threefold in the past year.

"Many victims of SIRF do not know they have been targeted until they try to file their legitimate tax return," the FBI warned. "Many also receive notifications in the mail that their returns are being audited or are under review before they have even filed their tax returns."

According to Meyer, where the bad guys are honing their skills is in the automation of the generation of E-PINs and filing of fraudulent returns.

"There’s no authentication step before entering your data in, so this year automation has kicked in where they can point a bot at this [IRS] page, throw a database of stolen identities at it, generate thousands of E-PINS, and then go ahead and use that to file submissions within January before everyone gets their W2s," he explains

Even more troubling is the fact that enterprising criminals are commercializing the tools and educational materials meant to enable others to perpetrate tax fraud and phishing. According to Proofpoint, this year has seen a huge maturation of IRS phishing kits made to help bad guys automatically produce convincing tax-related phishing lures. And similarly, Meyer says the Dark Web is now full of one-off tools, kits, and even educational ebooks meant to help criminals learn how to commit SIRF at scale.

"It looks like they're way more turnkey this year," he says.

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .