Tax-time Phishing: A Global Problem

I don’t think anyone likes to do taxes… unless you’re an accountant. Maybe.

Collecting all the documents, knowing which ones are needed, completing them in time, and handing over payments is a headache for individuals and companies alike. Phishing threat actors know this and will try to take advantage.

The United States Internal Revenue Service provides lots of resources about recent and relevant phishing attacks and scams targeting American taxpayers. Their international counterparts in the United Kingdom and Australia also provide extensive resources on recent attacks impacting their taxpayers. One important aspect of the material provided by these organizations is the delineation between what communication can be expected from each taxation authority and what forms of communication should be considered suspicious. For example, the Internal Revenue Service states that, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”

The most common social engineering tactics utilized by threat actors appeal to fear, uncertainty, and doubt—three things that, for some, go together with the tax filing season. Often, threat actors will use phishing narratives that threaten the recipient with legal action because they supposedly failed to properly file their taxes. Other techniques use reminders or “helpful hints” appealing to recipients’ uncertainty and desire to take the best route for doing their taxes. These messages are often used to deliver malware tools designed to steal personal and corporate information. However, other threat actors take a still-more direct route inspired by the CEO fraud and BEC attacks that have become very popular and very, very profitable. In these scenarios, the threat actors impersonate a VIP within a company or organization and simply request that someone in the company’s human resources department simply send a copy of all the income reporting forms for every employee in the company.

Both techniques embody an interesting intersection that belies how threat actors operate. Threat actors often seek to infect the largest number of users possible with their malware tools. This allows them to maximize their opportunities for monetizing their malware deployments whether the malware in use is designed to provide access to private information or to simply encrypt it and demand a ransom payment. One example identified by PhishMe Intelligence in December 2016 targets individuals by offering up unsolicited tax advice regarding retirement savings. Attacks like these, if directed to victims outside of a firm or organization, can be used to impact those victims as individuals only.

Figure 1 – Unsolicited tax advice has been observed as an avenue for delivering malware

Threat actors have recognized this and some have adjusted their strategy. As a result, they have introduced attacks that take advantage of the intersection of two contemporary techniques.

First, they employ elements of soft targeting, a strategy in which phishers cast a wide net using a narrative intended to appeal to a class of individual. A prolific example of soft targeting is the ever-present “resume” phishing theme intended to disproportionately impact human resources personnel. Similarly, many tax-themed phishing campaigns are designed to disproportionately impact financial and accounting professionals within companies so the threat actor can gain access to the greatest amount of sensitive information at once. Whether the attack is designed to deliver a tool to steal financial information or hold it for ransom, threat actors appeal to accounting professionals’ careful handling of tax matters.

Second, phishers blend their techniques with the CEO fraud or BEC strategies by imposing a fake demand that an accounting professional turn over a company’s W-2 information for “review” by an imposter company VIP. These fraudulent requests are directed to someone within the organization responsible for fulfilling the requirement that tax information be completed promptly and accurately. The threat actor is therefore linking together the pressure of responding to senior management with the pressure of completing taxation paperwork promptly. The result if a compelling narrative that the threat actor hopes will result in the turnover of sensitive information about a company’s employees—simply by asking for it.

An example of the former was used to deliver the Spora Ransomware in January 2017 using a lure informing the victim that a “loyalty” tax refund may be available to them. With the listed sender “IndustrialandCommercial[.]com”, this was intended to resemble an opportunity for the recipient to learn more about a tax break to which their company may be entitled.

Figure 2 – Other campaigns have attempted to pitch a tax break to recipients

 

These appeals are not unique to the United States. Threat actors have frequently abused the names and impersonated representatives of taxation authorities around the world. Examples collected by PhishMe Intelligence in just past two months include emails delivering malware through impersonation of Australian, Brazilian, Indian, and Italian tax authorities. Each example delivered some form of malware utility used to carry out the theft of sensitive information.

Figure 3 – Australian Tax Office impersonated to deliver malware

Figure 4 – Increased diversity in impersonated tax authorities over the past year

Figure 5 – Examples include full internationalization in language selection

 

While these threat actors all sought to deliver some malware tools to their victims, threat actors requesting sensitive information have been active this year as well. The rash of BEC and CEO fraud scams that netted criminals around the world more than 3 billion dollars and lost US victims just shy of a billion dollars as of June 2016 per FBI reporting. Emulating this technique, other threat actors target the private, personal information of companies’ employees by sending emails to custodians of W-2 information while impersonating a member of a company’s top-level management. These emails simply ask individuals to turn over to the criminal all the W-2 information for the company.

Like taxes, it’s clear these types of attacks are not going away anytime soon. However, through consistent training organizations can battle these types of threats and potentially lower their impact. It’s important to remember that the IRS will never ask you for any sensitive information in an email, and when in doubt, go directly to the IRS website instead of following links in emails.

Now, there are 3 things about which you can be sure: Death, Taxes and Phishing!