The Dark Web has been host to marketplaces dealing in a variety of illicit goods practically since its inception. In time for tax season, there has been a resurgence of identity theft with the aim of fraudulently redeeming tax refunds, according to a Thursday report from security research firm Carbon Black, which noted that online sales of identities are making the process easier than ever for cybercriminals.
According to the report, W-2 and 1040 tax forms are available on Dark Web marketplaces at prices between $1.04 and $52, with names, social security numbers, and birthdates ranging from $0.19 to $62. A turn-key solution allows “a relatively inexperienced hacker [to] purchase authenticated access to a U.S.-based bank account, file a false tax return, claim the
IRS refund and cash out via a cryptocurrency exchange for a 100+% return on investment,” for an upfront investment of around $1,000, the report found.
SEE: How technology is impacting and supporting the public sector (free PDF) (TechRepublic)
In doing so, attackers can “more than double” their investment, as Carbon Black claims that the “United States tax refund system, when exposed to the ruthless efficiency of dark web marketplaces, has been turned into [a] Vegas-style slot machine. Insert some Bitcoin, pull the handle and figure out how to receive your $2,000 – $3,000 from the U.S. Treasury courtesy of a faceless victim thousands of miles away.”
This has been an ongoing problem for years, with CBS News reporting in 2018 that hackers targeted computers of tax preparers to gain this information, using “phishing scams that then loaded malicious software onto their computer systems, making all the taxpayer information that was kept by these preparers vulnerable to theft.” Some of the fraudulently submitted tax returns were inadvertently sent to the victims of identity theft, prompting scammers to contact victims demanding the money be forwarded to the scammer.
The IRS identified $10 billion in tax fraud in 2018–about four times as much as in 2017, according to Carbon Black.
Carbon Black recommends that users take the following measures to protect themselves to reduce their chances of becoming a victim:
- Use a bank that offers multi-factor authentication for logins.
- Use an external password manager with a master key, not the save password function in your browser.
- File your taxes as soon as possible to shorten the window of opportunity for scammers to file impersonating you.
- Be mindful of giving information away. “If a website doesn’t have a legitimate need for personal information, don’t provide it.”
- Never transfer money (via wire, electronic check, credit card, etc.) based off an email you are not expecting, without authenticating the requestor over the phone or in person.