It's income tax season, which means it's income tax scam season.
Every year, particular events cause an elevated level of cyber criminal activity, and income tax season is certainly one of them. From the criminal’s perspective, there's a windfall of potential victims emotionally invested in getting their annual return they can use to remodel their home, buy that new computer, or go on a nice vacation. In many cases, filing a tax return means cashing in thousands of dollars just by putting some basic information into a popular tax filing program. But it's this ease of use that threat actors leverage to lure victims into a false sense of security.
The importance of carefully guarding access to liquid assets such as bank account information and credit card information, and the consequences of not doing so, are becoming common knowledge. But many people still don't make the connection between the highly sensitive information needed to file a return in a tax filing program and the security risks involved. This gap in safety awareness (which affects even the more cyber-savvy set) combined with the innate drive to cash in and a carefully copied website asking for lured victims to “verify their information, ” can be a recipe for disaster.
A Quick Sanity Check can Prevent a Financial Crisis
As a threat researcher, I see this very natural response to the possibility of getting an award exploited in countless ways. During tax season, I always advise people to be particularly careful; take a deep breath and think about what’s happening, especially when being asked to verify sensitive information. As an example, the below graphic looks like a legitimate request by Intuit’s TurboTax to confirm the email address and password linked to a victim’s account:
It looks, good, and would certainly entice plenty of victims to fill it out, but since these credentials grant access to sensitive information, it’s always worth a closer look. Before filing your tax return, ask yourself four key questions:
- Who owns the site?
- Are they reputable?
- How long has it been around?
- Did I ask to be sent here?
You can answer these questions just by doing a few quick checks. The information you gather will help you avoid becoming another victim.
Question 1: In this case, we’d expect to be going to an Intuit-owned website. However, the actual Internet address that hosted this site was hXXp://turbbottax.myjino[.]ru/Turbotax2016/e.html. (We’ve “defanged” or replaced and added some characters here so visitors of this blog will not accidentally visit the site, which should be taken down soon either by an abuse department or the actual criminal). Shady.
Question 2: Now, a couple of things should immediately make you question the site’s reputability. First, the host record “turbottax” is misspelled. Second, the domain is not owned by Intuit—you’d be visiting a Russian domain.
Question 3: Let’s take a couple more minutes to log into PassiveTotal and see what else we can find out about this domain. The heatmap below shows that this domain has only resolved to one Russian IP address and the site has not been up for very long:
So either Intuit has not been around for very long, they just built a new site in Russia, or this is a scam. The latter is the obvious answer here, especially since the copyright statement on the bottom of the website refers to 2015. Additionally, when we look at the WHOIS information, the site does not appear to be owned by Intuit:
If that doesn’t satisfy your curiosity, a quick Google search for the hostname contains results from other security vendors claiming that there were phishing sites on the same domain:
Question 4: Many of these fake pages are a result of redirects from other pages. If you did not actively seek out an online tax filing service, there’s likely no reason for you to be seeing a page from one.
Anyone can be a Victim
Employers are targeted during tax season, too. RiskIQ was recently made aware of a domain squatting campaign in which a threat actor was sending out a request for W-2 information from the SVP of Human Resources, appearing to come from the CEO. Here is the PassiveTotal public project tracking the infrastructure of this threat actor, and below is a copy of the wording in the email they used:
"{firstname},
I would like you to send me the list of W-2's copies for all employees for 2016, you can send it as an attachment using PDF. Kindly prepare the lists and email them to me ASAP for a quick review.
Thanks,
{nameofceo}"
For domain squatting and spearphishing, campaigns are growing in popularity. I advise employees who receive a request for such a large volume of sensitive information, even if it comes from an executive, to double check via a different channel. It could prevent major damage to your organization.
Stay Safe Out There
I encourage everyone during this tax season to very carefully guard your personal and financial information. A few deep breaths and a couple of sanity checks just might prevent you from becoming a victim. For peace of mind, use PassiveTotal to help in your investigations—it’s free, and anyone can sign up.
To help combat this problem of income tax return scams, RiskIQ scans over 2 billion pages and nearly 20 million mobile apps per day, resulting in a curated blacklist of malicious apps, hosts, and domains across the internet. For more information on how RiskIQ can keep your organization, customers, and employees safe, contact us today.
