Phishing Season Never Ends

8640804469?profile=RESIZE_400xAs the 2020 tax preparation season begins in the US, the Internal Revenue Service (IRS) is warning that it is seeing more signs of cyber criminals spoofing the agency's domains and incorporating its logos and language into phishing campaigns.  Authorities additionally are cautioning other fraud campaigns that spoof US government departments, with some using themes capitalizing on COVID-19 economic relief programs.  A tempting lure to many.

During February 2020, the IRS published a notification to tax professionals describing a phishing campaign that spoofs the agency's likeness, with cyber crooks attempting to steal Electronic Filing Identification Numbers.  The IRS issues these numbers to individuals or firms that have been approved as authorized IRS e-file providers.  In this phishing email scam, the hackers are trying to entice tax preparers to email documents that would disclose their identities and Electronic Filing Identification Numbers.  The cyber criminals can then use this information to file fraudulent returns by impersonating the tax professional, the IRS notes.[1]

The IRS warning notes that swindlers are also impersonating potential clients for tax preparers.  This approach has become more effective because more transactions are being remotely conducted due to the COVID-19 pandemic.  These phishing emails likely contained a malicious attachment that, when opened, would download malware, such as information stealers designed to record keystrokes or harvest credentials.  Besides Electronic Filing Identification Numbers, the fraudsters might attempt to steal tax pros' Preparer Tax Identification Numbers (TIN) or e-services usernames and passwords, according to the IRS.

Cyber criminals are getting better and more proficient at spoofing government domains for their phishing campaigns and incorporating logos and language to give the messages a legitimate appearance, security experts say. 

Besides the IRS, other federal agencies have uncovered black hat hackers spoofing their sites, especially as part of fraud campaigns designed to take advantage of federal COVID-19 economic relief programs.   As an example, last year the security firm Malwarebytes uncovered a phishing campaign spoofing a US Small Business Administration (SBA) loan offer in an attempt to steal banking credentials and other personal data.

The Financial Industry Regulatory Authority (FINRA) which helps self-regulate brokerage firms and exchange markets in the US, has also warned about fraudsters creating spoofed websites and domains using members' real names and images to steal personal information and credentials.  These types of spoofing or phishing campaigns often are launched when new websites are created to support new government benefits programs.

The goal of these campaigns is to steal credentials to gain access to victims' financial accounts or money trying to lure funds away from the target recipient.  Once new government benefits programs are established it iss not long before threat actors begin mimicking these sites and are often successful.  Often, the threat actor will design their phishing kits with official government logos and website footers to add a level of authenticity.

A May 2020 report from Proofpoint tracked about 300 phishing campaigns that spoofed government domains or incorporated proper language and logos in phishing emails.  Many of these malicious campaigns began around the time tax season started last year and during the COVID-19 pandemic.  Fraudsters have recently spoofed tax and other government agencies in the UK and Europe as well.  This is just not a US problem.

A senior manager with the security firm Lookout, says that their research shows that one in 15 US government workers, federal, state and local  have encountered a phishing email or threat in 2020.  He also notes that mobile phishing emails have increased 37% in 2020, in part, because fraudsters can buy phishing kits on underground markets. 

MediaPRO, a Seattle-based provider of security training theorizes phishing campaigns be better checked due to the recent SolarWinds hack, combined with the current US president's heightened focus on cybersecurity.  Experts agree that this will result in higher cyber vigilance within government agencies, and that is good. 

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com  

Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/3702558539639477516 

[1] https://www.bankinfosecurity.com/irs-warns-fresh-fraud-tactics-as-tax-season-starts-a-16028?rf=2021-02-22_ENEWS_SUB_BIS__Slot6_ART16028

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!