Phishing in Season: Tax Time Malware, Phishing and Fraud

Categories: Fraud Intelligence,FraudAction

By Limor S. Kessem, Cybercrime and Online Fraud Communications Specialist, RSA

As phishers will have it, phishing attacks are quite the seasonal trend. It seems that every April, right after a slow first quarter, fraudsters awaken and get back to working on vast spam campaigns that ride the tides of tax-filing season.

This time of year brings a few flavors of spam into the mailboxes of online users, including malware attachments purporting to be tax statements, tax authority-themed phishing, and online tax filing scams. In this special highlight, we will cover the main types of online threats that star during the tax filing season, most of which are already rampant in the wild.

Tax Authority Phishing Themes

Although phishing is most often a direct attack, targeting account holders by presenting them with messages from and replicas of their banking service providers, indirect phishing can be just as efficient, if not more.

In these scams, phishers will create an email purporting to come from the local tax authority, encouraging taxpayers to browse to a (phishing) page where they will be tricked into believing they are opening an online account, updating their personal information, contesting a fraudulent statement or receiving a refund.

Phishers use the taxation entity’s credibility and authority in order to ask victims to part with their personal information, address and phone details as well as account information, access to online and phone banking, as well as complete credit card details. Those attacks can be very elaborate and eventually allow fraudsters to devise a wider array of identity theft scenarios, including loan and credit card application, fraudulent ecommerce purchases, fraudulent tax filing, and bank account takeover.

Tax-Themed PhishingElaborate phishing page designed to steal access credentials and personal financial information.

Tax-Themed Phishing
Elaborate phishing page designed to steal access credentials and personal financial information.

 

Malware Hidden in Tax-Themed Emails

Another very popular threat during tax season is malware-laden email, purporting to come from a tax authority, usually with a threatening message to the reader, urging him to download and open an attachment. The file is of course a Trojan executable, which can sometimes be revealed by simply looking at the file extension, like in the image below. Note that the file extension is .pdf followed by .exe – a Trojan executable file. When opened, the malware will be deployed and infect the PC.

    Tax-Themed Malware Spam    Email purporting to come from tax authorities, urging users to download and open an attachment.

Tax-Themed Malware Spam
Email purporting to come from tax authorities, urging users to download and open an attachment.

One of the malware campaigns currently active in the wild is spreading the Brazilian Banker Trojan “Bancos” under the guise of a message from the fiscal authority in Brazil.

Here too, it is easy to see that the fake file extension is not really .docx, but rather .exe – in an attempt to hide the Trojan’s executable.

2013-03_Fig3_Bancos

Tax-Themed Malware Spam
Email purporting to come from Brazilian tax authorities, urging users to
download and open the concealed Bancos Trojan

Online Tax-Filing Scams

Since tax authorities have been allowing taxpayers to file their annual declarations with online service providers, fraudsters have been increasingly interested in phishing for access credentials to victims’ user accounts, in hopes of rerouting the refund payments that may be due.

In many cases, fraudsters check if the potential victim has already filed the return, and if not, they will proceed to filing a false declaration in the victim’s name, using numbers that will result in a refund, and then attempt to have the expected payment sent to a prepaid card or an account they control. The IRS reported it saw an 80% increase in tax-return fraud between 2011 and 2012 – this rate will likely grow again this year with the popularity of online filing and the added chance of interception by cyber criminals.

One of the present campaigns running in the wild falsely alerts taxpayers that their return was rejected, all while delivering a Trojan attachment (.exe) in the guise of an archived file (.zip).

Taxpayer User Account Takeover Attempts

In this last example of tax-themed online threats, some cyber criminals, usually operating locally and versed with the regional processes, will attempt to phish a taxpayer for his access credentials to the tax authority’s web services.

From there, the actors will attempt to gain insight into amounts possibly due to the victim, find out if they already filed a tax return, attempt to modify where the account refund(s) should be sent to, or in other cases create a fake account with the online tax filing service to submit a bogus return in order to yield a refund.

The actual phishing can be carried out online, by directing taxpayers to click and browse to a hyperlink inside an email, or by opening the attack locally – a local HTML phishing scam that will appear on the victim’s PC.

    Tax Authority Online Service Takeover Attempt    Email purporting to come from tax authority, asking taxpayers to browse to the phishing website

Tax Authority Online Service Takeover Attempt
Email purporting to come from tax authority, asking taxpayers to browse to the phishing website

In the next image, the taxpayer received an HMTL file inside the email – containing the phishing page. The URL that will appear when opening that file, will show a local path on the user’s PC.

Once harvested, data from such “standalone” attacks will end up being sent to the phisher thereafter, usually depending on drop engines that use PHP or ASPX files hosted on unique URLs, or via drop engines using an online form service account (generic URL).

 

    Tax Authority Online Service Takeover Attempt    Email purporting to come from tax authority, hosting a standalone phishing attack to harvest taxpayer information.

Tax Authority Online Service Takeover Attempt
Email purporting to come from tax authority, hosting a standalone phishing attack to harvest taxpayer information.

Conclusion

Although phishing attack numbers can fluctuate monthly and depend on factors that are harder to predict – such as the ability of phishers to launch campaigns and the number of attacks each individual or gang would launch – seasonal trends are rather consistent.

Tax-filing season is probably one of the most popular times of the year for phishers to hit taxpayers with spam and malware infections since tax authorities can be a driver that would make people react quickly to emotional triggers such as:

  • Entitlement – expecting a tax refund and wishing to receive it ASAP
  • Anxiety – being faced with the (false) accusation of a rejected/fraudulent statement and wanting to rectify the issue
  • Sense of obligation – having to comply with the civil obligation to report to the taxation authorities

In terms of the time-span for this seasonal trend, tax deadlines typically fall on April 15, but fraudsters are known to begin sending this type of spam in February and continue spreading the campaigns well into May and June, in the form of fake returns and bogus rejected/fraudulent statements. This phenomenon is often reflected in phishing attack spikes recorded annually through Q2.

Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter.

Limor Kessem
Author:

Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter