Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/23/2016
11:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

IRS Tax Fraud And Phishing Advances

New techniques and automation have bad guys making more money than ever off of unsuspecting taxpayers.

Internal Revenue Service (IRS) tax phishing and fraud is hardly a new thing, but this is the year that criminals are taking it to the next level, according to a number of researchers who have been keeping tabs on phishing activity and wares sold on the Dark Web.

"Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a degree of sophistication and pervasiveness that sets this year apart," writes Proofpoint researchers in a recent report on tax fraud trends.

For years now, attackers have taken advantage of the sense of urgency that tax-related matters have for most US computer users during tax season to create convincing lures that look like messages from the IRS or tax preparers in order to get victims to give away sensitive information. Now, they're perfecting their techniques.

For example, in one instance, Proofpoint spotted a mobile-optimized phishing site designed to mimic tax software, specifically seeking to dupe users who lean more heavily on their mobile devices than PCs these days. Attackers are also also taking advantage of the phone to conduct voice-phishing, or vishing, attacks on users, says Adam Meyer, chief security strategist for SurfWatch. Meyers says his research has seen a surge in tax-related vishing attacks this year. Where they're upping the game on this front is in who they target, he says.

"They’re filtering by name people who tend to have a foreign name to exploit their lack of English skills as well as the fact they likely they don’t understand our tax system as well as people who have grown up with it," he says.

More costly for taxpayers, both individually and as a group paying the IRS' bills, is the increasing use of stolen information to commit tax refund fraud. The last few years has seen attackers ramping up the abuse of the the IRS' electronic filing PIN verification system in order to file a fake return under a victim's identity and have that sent to a fraudulent bank account. The information requested by the IRS to grant these E-PINs is typically of the sort trivial for identity thieves to acquire.

According to a public service announcement from the FBI today, Stolen Identity Refund Fraud (SIRF) is on the rise, and typically targets temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas -- all individuals less likely to keep close tabs on their identity details or tax return status.

And according to a new report out by fraud prevention firm Iovation, the strain of fraudulent returns meant to steal imaginary refunds using stolen identities is evident in the time it takes the IRS to review returns and issue refunds. That time has lengthened threefold in the past year.

"Many victims of SIRF do not know they have been targeted until they try to file their legitimate tax return," the FBI warned. "Many also receive notifications in the mail that their returns are being audited or are under review before they have even filed their tax returns."

According to Meyer, where the bad guys are honing their skills is in the automation of the generation of E-PINs and filing of fraudulent returns.

"There’s no authentication step before entering your data in, so this year automation has kicked in where they can point a bot at this [IRS] page, throw a database of stolen identities at it, generate thousands of E-PINS, and then go ahead and use that to file submissions within January before everyone gets their W2s," he explains

Even more troubling is the fact that enterprising criminals are commercializing the tools and educational materials meant to enable others to perpetrate tax fraud and phishing. According to Proofpoint, this year has seen a huge maturation of IRS phishing kits made to help bad guys automatically produce convincing tax-related phishing lures. And similarly, Meyer says the Dark Web is now full of one-off tools, kits, and even educational ebooks meant to help criminals learn how to commit SIRF at scale.

"It looks like they're way more turnkey this year," he says.

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11873
PUBLISHED: 2019-05-23
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, to...
CVE-2019-12295
PUBLISHED: 2019-05-23
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.
CVE-2019-12293
PUBLISHED: 2019-05-23
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...