Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/11/2019
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Tax Hacks: How Seasonal Scams Cause Yearlong Problems

Tax season is marked with malware campaigns, tax fraud, and identity theft, with money and data flowing through an underground economy.

For most Americans, Tax Day is a red-flag deadline on the calendar. For cybercriminals, it's one day out of a season marked with scams to deceive victims out of money and personal data.

Seasonal threats are common among cybercriminals, who often exploit holidays, news, or global events for attack opportunities, says Limor Kessem, IBM global executive security adviser with its X-Force team. One of the biggest lures is tax season in the United States. "They start in January, and they drag it out until May, even June," she says. After Tax Day, they can capitalize on people waiting to receive responses on their tax returns, refunds, or payment notifications.

Tax fraud is an old problem manifesting in new ways as more people file taxes online. The IRS expects more than 90% of tax returns will be prepared electronically using tax return software, RiskIQ reports in its "2019 Tax Season Threat Roundup." People eager to cash in on tax returns are promising targets for cybercriminals, who spoof popular e-filing tools to exploit them.

IBM X-Force researchers recently discovered several of these ongoing tax-themed campaigns, three of which affect businesses as well as consumers. Attackers attempt to trick victims with messages appearing to be from major accounting, tax, and payroll services, including ADP and Paychex. Malicious Microsoft Excel attachments packed Trickbot, a common banking Trojan that infects devices to steal data and follow up with wire fraud from the owner's account.

"Trickbot itself it very focused on businesses," says Kessem of the enterprise angle. "They're out to empty those business accounts." While organizations have long been targeted with banking Trojans, the emergence of Trickbot in tax season campaigns is fairly new this year, she adds.

Researchers from IBM X-Force believe the size of the firms spoofed indicates attackers will likely be successful in tricking their customers. Businesses and individuals who use services from ADP and Paychex will likely expect to receive emails from their service providers around tax season, they point out.

All the attackers need is one person to believe a fake email, and they're in. "They want to get that one foothold," Kessem says. "They want someone who will believe their email and get infected with the malware." From there, Trickbot is equipped to move laterally on a network.

It's one of many campaigns with malware payloads mixed into tax-related emails. Late last year, Proofpoint researchers detected campaigns luring targets with urgent subject lines ("Your IRAS 2018 Tax Report," "IRS Update for 1099 Employees"). These malicious messages, which typically rely on advanced social engineering techniques to alarm their victims, distributed a variety of remote access Trojans: Orcus RAT, Remcos RAT, and NetWire among them.

Tax Fraud? There's An App for That
Taxpayers filing via a mobile app should be on alert for fraudulent apps, RiskIQ reports. While most apps for tax filing are secure and don't store data on the device, fake mobile apps often impersonate popular tax-filing services to get people to give up sensitive data. While many are hosted on third-party stores, they've also been seen on official Google and Apple app stores.

There are ways to spot fake apps, RiskIQ researchers point out, using a fraudulent H&R Block app as an example. For starters, there is no developer listed – a major red flag – and it requires more permissions than necessary: record audio, camera access, and download data without notification. The app could effectively spy on the unknowing user, even if that person isn't using his phone.

The Industry of Identity Fraud
You don't need to be a skilled hacker to hack Tax Day, Carbon Black found in a new report on tax fraud and identity theft on the Dark Web. Cybercriminals have long sold identity and banking data online. Now researchers say the economy around tax identity theft has grown.

"Identity theft has really gone beyond a pickpocket or creation of a credit card in your name," says Tom Kellermann, chief cybersecurity officer at Carbon Black. "I would call it robbery of your financial future. They can commandeer … your financial identity and use it in perpetuity."

It's easy and cheap for even unskilled hackers to pull off: Dark Web marketplaces sell W-2 and 1040 forms for between $1.04 and $52. Names, Social Security numbers, and birthdates are similarly inexpensive, with prices ranging from $0.19 to $62. For $1,000, a relatively inexperienced hacker can buy authenticated access to a US bank account, file a fake tax return, claim the refund, and cash out through a cryptocurrency exchange to get a $100+% return on investment.

The evolution in tax fraud can be seen in lower prices for tax identity theft on the Dark Web, sellers working to differentiate their products, and new products being developed. And identity theft can lead to credit card and home equity loan fraud, which pack long-term damage.

"Wealth goes beyond the money [victims] have; it's lines of credit that can be established in their name," Kellermann says. Home equity fraud is easy with a stolen W-2; victims don't know until it's too late. "This highlights the fact that if you can compromise someone's W-2s, the first step is to get the refund, and the second and third steps are far more nefarious," he adds.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.