Cybercriminals have long used social engineering and phishing techniques to lure unsuspecting users into giving away private information. They track current trends and events to make their attacks more effective, and tax season offers a rich opportunity for attackers to disguise themselves as well-known brands and even government agencies in an effort to exploit users. The Zscaler threat research group has examined the traffic in the Zscaler cloud for the past 2 months and has noticed new phishing websites that attackers are hosting this tax season, and we will share our observations about how they’re targeting their victims and tricking them into divulging personal and financial information.
Tax phishing campaign #1 – IRS phishing over HTTP/HTTPS
Below is a phishing page that is spoofing the IRS in an attempt to collect users’ IRS login credentials.
Figure 1: IRS Phishing Login page.
The same server was also hosting a fake IRS account unlock webpage as shown below.
Figure 2: IRS Phishing account unlock page.
In this scenario, the attacker tries to make the user redirect to an e-policy statement hosted on the actual IRS page seen here.
With this page, the attacker is attempting to prevent user suspicion by redirecting the user from this phishing page to a legitimate e-policy statement hosted on the actual IRS page and shown here.
Figure 3: Original IRS e-policy page to which user is redirected after phishing activity.
At this point, the victims believe they have completed the account unlock process and they proceed to log in on the legitimate page unaware that their information has been stolen.
This activity was observed on a compromised website: valeortho[.]com. From Fig. 1 and Fig. 2, we can see that the phishing website was on HTTP. However, we also saw the same activity over HTTPS.
Tax phishing campaign #2 – “chalbhai” IRS phishing
Another example of an IRS identity validation phishing site can be seen here.
Figure 4: IRS identity validation phishing.
We see that the phishing page is based on an old template, since the page refers to 2014 Federal Income Tax year. The interesting point to observe is that when we check the source code for this phishing page, we see a term “chalbhai” in the form. We have typically seen this tag associated with phishing pages that look like Microsoft Office 365, Apple ID, Dropbox or DocuSign. This is a good example of criminals adapting their phishing content to reflect current trends. The tag can be seen in the screenshot below.
Figure 5: “chalbhai” campaign.
The hits for the “chalbhai” phishing campaign for the months of Jan. and Feb. 2018 are shown below.
Figure 6: “chalbhai” campaign hits for months of Jan and Feb 2018.
Tax phishing campaign #3 - encrypted IRS phishing
Figure 7: IRS identity verification phishing page.
The figure below shows the call to the AES decrypt function on the phishing page,
Figure 8: AES decrypt call on phishing page.
More examples of phishing URLs employing encrypted content:
We have also seen encrypted phishing templates being leveraged to target brands like Apple, Chase, HSBC, and Paypal in past few months.
Figure 9: AES encrypted phishing campaign hits for months of Jan. and Feb. 2018
Tax phishing campaign #4 - Intuit TurboTax phishing
Attackers are also targeting known tax preparation tools like TurboTax. Here is one such example.
Figure 10: turbotax phishing page.
In this instance, once the user enters the information and clicks update, the user is redirected to the actual TurboTax login page shown below. Similar to the IRS example, the attacker steals the information before redirecting to a legitimate page, keeping users unaware that they have fallen victim to a phishing attack.
Figure 11: Original turbotax login redirect after phishing page submit.
Another variant of the TurboTax phishing page is shown here.
Figure 12: TurboTax phishing page variant.
We have seen various types of phishing campaigns take advantage of tax season and leverage tax-related themes. The attackers use various methods to deliver the phishing content, ranging from AES-encrypted content served over HTTP, plain templates over HTTP/HTTPS, fake tax products, spoofing well-known brands, and so on. In the phishing campaigns that we analyzed for this report, we noticed that the attackers are leveraging two important entities involved in the tax filing chain for most consumers: popular tax filing software (in this case, TurboTax) and the tax governing agency IRS.
With high stakes during tax season, users should take extra care to ensure the sites they are using are legitimate. Don’t just look at what’s in the window; look at the URL address. All sites should use HTTPS. The domain name should match the name of the site you are visiting, as seen here:
Zscaler ThreatlabZ is actively monitoring these tax related phishing campaigns and ensuring that Zscaler customers are protected.