IT Security Blog

I thought it was appropriate to issue a "Threat Warning" (ala the National Weather Service) for tax related scams for today and for the coming days and weeks considering today's midnight tax deadline.  By a warning I am implying that conditions are ripe for something to occur even though we have not seen anything specific yet. 

Considering current economic conditions and the fact that it is likely that more people who owe money are likely to be delinquent in payment this year it is also possible that we might see a new twist this year from: tax filing extension "services" that for a fee will grant you an extension on paying your taxes without additional interest penalties if you do not file on time.   

It is also likely that we could see scams like we have seen in years past related to tax refunds that can be received faster if applied to your credit card or purported errors made by the IRS that results in you receiving additional refund money that can be applied to your credit card or directly into your bank account. 

Be on the lookout for these and other potential scams spoofing the IRS.  It is most important to remember that the IRS does not discuss tax refund related issues directly to consumers over email so if you receive anything like what I have described above in your email box or anything else similar, delete those messages immediately.  Our Threat Operations Center is on high alert for any IRS related scams and when any arise we will report them here.

Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court. 

Here is an elided sample that has been received by our Threat Operations Center:

UNITED STATES TAX COURT WASHINGTON, DC 20217

Docket No. 622-555. Filed May, 2008. COMMISSIONER OF INTERNAL REVENUE Petitioner. v. EXECUTIVE NAME HERE COMPANY NAME HERE COMPANY PHONE NUMBER HERE Respondent.   PETITION The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008 Please download a Copy of the Order, Letter, Notice or Other Document Being Appealed This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006.  As motions, without prejudice, and remand this case to respondent.s Office of Appeals. Respectfully submitted, Bennett H. Klein Tax Court Bar No KB0214 400 Second Street, N.W., Washington, D.C. 20217.

The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th.  Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately.  It would not surprise me if the same people behind those scams are also originating from the same group of people.


*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour.  Very low volumes in an attempt to fly under the radar as much as possible.

Right on cue we are starting to see phishing scams with an economic stimulus payment flavor.  As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments.  We are starting to see some of the first iterations of those scams today.

As has been common with most of the government agency spoofs that we have seen over the past year, this one has an IRS logo at the top of the message that is being pulled directly from the IRS web site at irs.gov.

The samples that we are seeing allege to be from "service@irs.gov" and have a subject line of "2008 Economic Stimulus Refund."

The phish content is as follows:

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please click here.

The "click here" link takes the user to a prototypical phishing site where they are asked for their bank routing number and checking account number so that the rebate can be directly deposited into their checking account.  The scammers are also trying to establish a sense of urgency to get you to click the link by saying that you have to fill out and submit the form before April 24th if you want to get your stimulus payment on time.  Failure to do so will result in delays.  This could be an effective tactic against those who may not be scheduled to receive their rebate until July or against the extremely impatient who think that this could be a shortcut to getting their rebate quicker.

This is about the time that we expected to start seeing these scams start coming out, and this certainly won't be the last of them, especially since the distribution of the stimulus payments is expected to last a couple of months.

As with all of the IRS scams that we have seen to date, there are a couple of things that you should remember:

-- The IRS does not communicate with the public over email. 
-- To that point, the IRS does not even know what your email address is.  If you use at home tax software the software vendor might ask you for your email address, but this is for the purpose of sending you status updates with respect to your tax filing.  These emails are not from the IRS.

With respect to the economic stimulus payments, also remember:

-- The economic stimulus payments are being distributed based on your 2007 tax filing.  The information for how to distribute your rebate to you will be done based off of your tax forms. 
-- The payment schedule for the economic stimulus payments has already been established by the IRS.  There is no way to accelerate this process. 

Over the past 10 months or so we've often discussed different social engineering tactics as it relates to different types of spam and malware campaigns.  These tactics range from using pinpoint precision to identify individual scam recipients (like CEOs and other C-Level Executives) to using tragic current events, naked celebrity videos, holiday e-cards, IRS tax refunds, or free/discounted sporting event tickets as a lure to get people to open malicious email attachments or click links that redirect them to web sites that are infested with malware.

So, the question is: How far will cyber criminals go in an attempt to get a foothold on your PC or steal your personally identifiable information?

The answer is simple: As far as they need to. 

Cyber criminals will go to whatever lengths are necessary to trick you into doing what they need you to do in order to get infected with malware.  This means that the success of their campaign is almost solely related to their ability to establish trust and to make their campaign appear as legitimate as possible.  As an example, some of the IRS tax refund scams that we have been seeing this tax season even go so far as to link to or display the real IRS web site's logo, Privacy Policy and Online Help.  The Federal Subpoena scam that we spoke about earlier this week included not only the name of the person that the scam was being sent to and their company name, but also their phone number! 

As cyber criminals continue to hone their social engineering tactics, it is becoming more and more critical that people understand, are aware of, and keep a keen watch out for new potential threat vectors and the techniques that are being used in order to trick them into giving up information that could result in loss of identity, company secrets, or their life savings. 

Losses being incurred as a result of cyber crime are increasing at an alarming rate and now we have reached the point where people are more fearful of being a victim of cyber crime than they are physical crime.  According to Gartner, losses as a result of phishing alone could top the $4B mark in 2008!  That increase is no accident and does not appear to be slowing anytime soon. 

It looks like the folks who were spoofing government agencies and targeting C-level executives are at it again; this time spoofing the U.S. District Court. 

If you recall, starting around the end of May, 2007 we started to see a month and a half long wave of messages that were being targeted to C-level executives that carried a keylogger payload and used a lure of fake complaints against that executive's company in an attempt to get them to infect themselves.  This tactic was, unfortunately, very successful which is why it hung around for as long as it did.  These spoofs used an effective social engineering tactic that included both the name of the person receiving the scam as well as the name of their company.   This fooled many into believing that the message was indeed legitimate because it didn't carry the earmark of most of your scams that are generically blasted en masse. 

This new scam follows this same basic social engineering tactic except it takes it one step further in that it also includes the phone number of the company being targeted.  This is just another way that the scammers are attempting to establish legitimacy with their intended target since it doesn't look like your everyday, run of the mill type of spam.

By targeting C-level executives, the technique used in this type of attack is called "whaling."  It is called whaling because they are trying to get the largest fish that they can on the hook; people who are generally more affluent and stand more to lose, both personally and professionally.

Below is an example of one of these messages (Some personal information has been redacted):

AO 88(Rev.11/94) Subpoena in a Civil Case

________________________________

Issued by the

UNITED STATES DISTRICT COURT   

________________________________

Issued to:      XXXXXXXXXXXXXXXXXXX

COMPANY NAME HERE

COMPANY PHONE NUMBER HERE    

SUBPOENA IN A CIVIL CASE

Case number:    91-201-NKE

United States District Court    

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States 
District Court at the place, date, and time specifiied below.        

________________________________

Place:   United States Courthouse

880 Front Street

San Diego, California 92101     

Room:    Grand Jury Room

room 5217       

Date and Time:   May 7,2008

9:00 a.m. PST   

Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los 
Angeles, CA 90071       

________________________________

Please download the entire document on this matter(follow this link) and print it for your 
record. <hxxp://cacd-uscourts.com/ViewCase.php?case=91-201-NKE>  
 

This subpoena shall remain in effect until you are granted leave to depart by the court or 
by an officer on behalf of the court. 
 

Any organisation not a party to this suit thas is subponaed for the taking of a deposition 
shall designate one or more offcers, directors, or managing agents, or other persons 
to testify on its behalf, and may set forth, for each person designated, the matters on 
wich the person will testify. Federal Rules of Civil Procedures,20(b)(6).
 

Failure to appear at the time and place indicated may result in a contempt of court 
citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct 
any questions to the person requesting you to appear: City Prosecutor. 

You'll notice a few spelling errors which is your typical dead giveaway that something isn't quite right here (of course, the US District Court trying to communicate with you via email, which it never does, should have been the first one).  They also went to the trouble of registering a new domain, cacd-uscourts.com. 

Here is where it gets funny:

-- cacd-uscourts.com is the domain used.  If this were really a government domain, would it have a .gov TLD?
-- This domain was registered two days ago to someone named Michael Rice who lives in the U.K.
-- Registration for the domain was done by a company named WEB4AFRICA

It's been a while since we have seen this type of scam outside of the IRS spoofs that we have been seeing in accordance with tax season so I am sure it will get its share of victims.  No solid information yet on whether these new phish are being sent to the same C-level execs who were targets of last year's scams.  More information to come as it becomes available.


**** UPDATE 1 (4/15/2008 12:00pm MDT): We are still seeing these emails hitting our system at a rate of about 30 per hour.  Obviously very low overall volume, but that speaks to the precision of the targeting being used.  The highest hour that we have seen so far today was the 10am hour where we saw 50, and we basically saw none between midnight and 7am.  It appears that the cacd-uscourts.com domain that was hosting the malware yesterday has had its registration suspended by WEB4AFRICA.  The web site is no longer accessible.

About an hour ago we started to see yet another new variant of the IRS Refund Scams, this time using "Vishing" or Phish By Phone as a lure.

Here is a sample of the message that we received:

Internal Revenue Service Tax Refund

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $215.

Tax Refund Number:84730004332 - Will Expire on 29 March 2008

Attention!
Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.

To receive your tax refund please call the IRS Tax Refund Department at: 602-427-5984 .


Internal Revenue Service


Upon calling the number (602 is an Arizona area code)  listed in the email you are greeted by a digital voice which introduces itself as being the Internal Revenue Service then asks you to enter your social security number, credit card number, expiration and PIN.  The interesting thing here is that the recording appears to be a poorly repurposed scam.  After asking for your PIN it tells you to please wait while it is "activating your account". 

Wait a minute!  I thought I was getting a refund!

'Tis certainly the season for tax scams and we've been seeing quite a few of them in the Threat Operations Center between the phishing scams that ask for your credit card number on a fake web site with promises of a refund to malware based scams that claim to "update the tax software installed on your computer".  We'll likely only see more of them over the next 2-3 weeks as well as the tax deadline nears.  I would also expect to see similar types of scams with promises of things like advances on your economic stimulus payments as we get closer to early May which is when the initial payments are scheduled to be distributed.

Tax Season is here and the IRS scams just keep on coming.  We've already seen and talked about many different variants of the IRS phishing emails that say you are due a refund that they will gladly refund to your credit card, but now it appears that the scams have moved into malware downloads.

We've seen a new IRS scam over the past couple of days which is trying to trick users into thinking that they need to update the tax software on their system.  Why would the IRS care what tax software you have on your system or if you have any at all?  Of course, the real answer is, "They don't." 

An example of the message that we are seeing:

Dear Tax Payer, 

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, please visit hxxp://nzkaa . info and click "Open" when asked how to begin the download.

After doing so, no further action is required on your part.

Thank you for your cooperation,

IRS.GOV Agent #4[3

The URL above is obfuscated in the event that it is still hosting malware.  At the time that I visited the site it appeared as if it had been taken down, however the registration of the domain is still active, so it is possible that it could move to another IP and be a malignant site again. 

A couple of interesting/humorous things about this new spam:

-- Every spam message that has hit our systems relating to this scam has come from the same IP address: 92.48.88.145, an IP out of the UK (I wasn't aware that the IRS had offshored their email distribution :) )
-- The web site in the spam is currently (subject to change while the domain is still active) being hosted on an IP out of the Bahamas.  Another thing the government has decided to offshore, apparently.
-- Every message has HELOd (the start of the SMTP conversation) as "Exploit".  At least they're honest :)

As with the other government agency scams that we have seen to date, volume is low.  The MX Logic Threat Operations Center processed around 2,000 of these messages on 2/4, 1,600 on 2/5, and about 550 so far today (as of 1pm MST). 
As with the other IRS and other government agency scams that have preceded this one, the government does send personal email to alert you of software updates, refunds, or any other official matter.  The IRS knows how to get a hold of you if they need to do so.