Cybercriminals get creative with tax scams ahead of April 15

Hackers are going after everyone this tax season, including the companies handling our most sensitive information.

Tax season is upon us and cybercriminals have taken notice, unleashing a tidal wave of attacks targeting every US citizen and tax prep company. 

Hackers are stealing customer information from tax-related websites and sending malware to accountants seeking personal and financial information. 
 
"If you have the word 'tax' in your domain name; you're a target this year. And while the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately," said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
 
According to DeGrippo, cybercriminals have long focused on regular citizens and accountants with emails containing malicious links or corrupted files, but this year hackers are making better fake tax-themed emails with realistic company headers. By downloading remote control applications onto devices, attackers gain full control of access to any banking and investment information. 
 
The emails resemble those an accountant or CPA would receive from a client but contain applications like TeamViewer or Netwire Remote Access Tool. 
 
Criminals are also looking for ways to corrupt the simple websites accounting firms build to market themselves online. Through malicious HTML code hackers are able to steal customer emails and get information that can be used to break into a system in other ways.
 
"This year two standouts that Proofpoint researchers are seeing with tax-related attacks are threat actors abusing the legitimate application TeamViewer and compromising legitimate tax-themed websites," DeGrippo added in her report, "2020 Tax Season Attacks: Abusing Legitimate Applications and Websites."
 
"In particular, this year, people who run smaller tax preparation and accounting companies who have websites should take time to look at how they're securing their sites and move their sites to hosting companies that include updating and security as part of their offering."
   
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)

The report notes that applications like TeamViewer are considered legitimate and will not be tagged as malware by most security programs. 

DeGrippo said Proofpoint's researchers have also seen "more traditional malware attacks that use malicious attachments within messages claiming to have attached W2, W4, and 1099 tax forms."
 
"In one campaign like this, we saw over 5,000 messages over the span of three days targeting financial firms and manufacturing companies. These messages had subjects like: 'Important changes, filing due date and charges to form 1099,' 'Important adjustments, filing due date and fees to form 1099,' 'Significant adjustments, submitting deadline and fees to form 1099,' 'IRS Taxes.'" 
 
All of the Microsoft Word documents contained hiden banking Trojan's called "The Trick," which are commonly used to steal financial information.
 
Cybercriminals are also targeting retailers with emails tilted, "Tax Form W-4" that aim to steal user Office 365 logins for access to  company financial documents. 
 
These kinds of attacks are just one tentacle of a wide range of attacks criminals are leveraging to get tax-related information. In the report, DeGrippo writes that cybercriminals are taking advantage of unpatched and out-of-date WordPress or content management system installations to change the raw HTML of a webpages. 
 
These kinds of attacks are designed to take advantage of the inexperience some tax firms may have with website security and plant malicious code on the site that will download malware to anyone coming to the website. 
 
"To better cover their tracks, attackers will frequently have the malware hosted somewhere else, making it even harder to detect that the site has been compromised and is serving up malware. In these attacks, we've seen the sites of smaller tax preparation and accounting firms targeted and compromised," DeGrippo added. 
 
"This makes sense because smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they've happened."
 
Troy Gill, manager of security research at AppRiver, wrote a report last month highlighting how cybercriminals were attacking people with phishing emails purporting to contain their W2. These emails were complete with clickable links in the message that lead to a well-made phishing pages posing as a legitimate ADP login portals. 
 
Once the cybercriminals have your credentials, Gill said they will then attempt to access the portal and commit any number of crimes, including changing the employees direct deposit information and redirecting funds to themselves. 
 
"In cases where the employer does not have a second verification in place for this type of change this could be quite lucrative for the attackers. It is also possible to expose the employees bank account and routing numbers in the portal. In addition, the attackers could also access personal information about the employee which includes name, D.O.B., physical address, pay stubs, Social Security number, etc," Gill wrote. 
 
"This information is also valuable and could be used or resold for identity fraud purposes. Additionally, the employees legitimate tax documents can also be found here. This could be used by the attackers to file fraudulent tax returns on the employee's behalf to direct their tax returns to the attacker's coffers."
 
Threat researchers at Zix-AppRiver released a report last week detailing their efforts monitoring and actively battling a series of Business Email Compromise attacks on CPAs and law firms over the past month.
 
After multiple clients came to them with similarly fake tax inquiry emails, the threat researchers posed as a legitimate CPA firm to lure the attackers in.  
 
"They found that these criminals were using a remote access tool that allows remote access, password stealing, keylogging, screen capture and webcam access, and allows hackers to exfiltrate customer tax data from the CPAs and law firms that can then be used to commit identity theft tax refund fraud. This data can also be leveraged or sold for additional attacks," the Zix-AppRiver report said. 
 
The same team wrote another blog post about six different scams commonly used to target taxpayers, which involve ranged Social Security numbers, IRS impersonation emails, tax transcript email scam, fake Bureau of Tax Enforcement emails, tax-related phone calls and ghost tax preparers.
 
For protection, DeGrippo said everyone should treat all tax-themed attachments as potentially malicious.
 
"These days, many tax preparation and accounting companies don't send information as attachments through regular email. They're increasingly using secured email and document sharing portals. If you get an email with a tax-themed attachment, even one you may be expecting, verify with the sender before opening it," DeGrippo wrote. 
 
She added that anyone in charge of a tax preparation or accounting firm website should host it with companies that will take care of any patches or updates automatically. According to the report, even websites with just a company's email and phone number are vulnerable and should only be managed by people with the necessary time, expertise and resources. 
 
US citizens should also know that the IRS will never have you do anything through email, Gill said, adding that people should make sure to check every email sender box and type links directly into browsers instead of clicking through links.  
 
"The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. Recognize the telltale signs of a scam," the IRS wrote in a blog post about scams in December. 
 
The IRS also says people should look out for tax-related identity theft in a number of scenarios.  If anyone gets a letter from the IRS inquiring about a suspicious tax return that you did not file or you can't e-file your tax return because of a duplicate Social Security number, be wary. 
 
Other telltale signs involve mailed tax transcripts that you did not request, IRS notices that online accounts have been created in your name, notices that your existing online account has been accessed or disabled when you took no action, emails that you owe additional tax or refund offset, or that you have had collection actions taken against you for a year you did not file a tax return. 
 
If you ever get emails saying IRS records indicate you received wages or other income from an employer you didn't work for, you should also be concerned it is a scam. 

According to the Taxpayer Advocate Service, the IRS stopped $2.7 billion in refunds from being issued to criminals between Jan. 1, 2019 and Sept. 30, 2019.

Also see

istock-670716992.jpg

Getty Images/iStockphoto