Tax time is here again and that means two things: writing big checks to Uncle Sam and, of course, a new season of tax scams brought to you by industrious and persistent malware authors.
Americans feeling the rising panic of ensuring that they are squared up with the federal government before April 15 are searching for help online and downloading the financial statements they need for filing. The bad actors are counting on it and, as you read this, there's a high probability that somewhere in your inbox is a link to a scam attempting to collect sensitive information from you. The IRS has been warning people about some of the tax scams this season using its annual “Dirty Dozen” compilation of phishing and online scams.
Of the following scenarios, which do you think is more likely? Will you be phished by a dodgy-looking IRS website, or will you get phished by a bogus financial website? Here at Zscaler, the ThreatLabZ research team has been monitoring such traffic and we've seen an increase in attempted generic phishing attacks posing as financial institutions. This trend makes sense because tax preparation usually means getting tax documents from several different financial institutions—your bank, your mortgage holder, your retirement and investment accounts, and so on. The following figure depicts financial and tax refund phishing events observed in the Zscaler cloud over the past two months.
Figure 1: Financial (gold) and tax refund (green) phishing events over the past two months
"IRS Login" phishing
Though the majority of phishing sites were for "generic" financial institutions, we did see IRS phishing websites, including the following, which asks the user to enter an email address and then redirects to verify the account and fill in additional information including Social Security Number.
Figure 2: IRS Phishing – Login page
Figure 3: IRS Phishing – Personal and SSN details
Fake “Apply for EIN” scam and Google SEO poisoning
An EIN (Employer Identification Number) is a Federal Tax ID number required by businesses or other entities to file taxes. Required persons/entities can apply for an EIN on the IRS website and can get it immediately at no cost. Scammers have been active out there, attempting to phish unsuspecting users of their information and money by advertising themselves as experts in filing for Tax IDs.
A Google search of “irs tax id” resulted in multiple scamming websites among the top ads.
Figure 4: Google search results for IRS Tax ID showing ads for scamming websites
We noticed a few of these sites, such as irs-tax-id[.]com, gov-irs-ein[.]co, and irs-ein-tax[.]com, using the same phishing template for their homepage, which you can see in the image below.
Figure 5: “Apply for EIN” phishing template used by multiple sites
Figure 6: Phishing page requesting personal information including SSN
Figure 7: Phishing page requesting credit card information
Here are a few of the domains that are active in luring users to apply for an Employer Identification Number (EIN).
Figure 8: “Apply for EIN” phishing domains
Tax refund phishing campaign – UK
Tax year in the UK has just ended (April 6) and scammers have been preparing to take advantage of users seeking their refunds. One of the phishing domains we have been monitoring, hmrc[.]co[.]uk[.]pendingrefund[.]tk, updated its phishing pages on April 6 to keep up with tax season events. It began with a refund claim form and was changed to a form for "processing" the claim and applying it to the user's credit card.
Phishing campaign observed before April 6:
Figure 9: Phishing pages observed before April 6, 2019
And the current page (Tax-Refund.php) served by the phishing website (starting April 6) can be seen in the below image:
Figure 10: Phishing page observed on April 6, 2019
The IRS has warned about a “Tax Transcript” email scam used by attackers to distribute malicious documents containing malware. ThreatLabZ has also noticed tax-themed malicious documents delivering Emotet and Nymiam malware, which are well-known Trojans used for stealing data and credentials, among other malicious functions.
The following is the report of a recent Nymiam malware sample observed in the Zscaler Cloud Sandbox and delivered through a malicious URL: djaccounting[.]tax/wp-admin/98-14691361298-580222944834109973.zip
Figure 11: Cloud Sandbox Report for Nymiam malware sample: 7B80A64E9A106806EE4F62A16A968661
Every year during tax season, our researchers identify various kinds of phishing campaigns performing tax-related social engineering tactics in an attempt to collect sensitive information from unsuspecting users. You can read about some of the phishing campaigns that we observed during last year’s tax season here. The IRS has also been alerting tax filers about active tax scams and providing guidelines for safely filing taxes.
At ThreatLabZ, we have been actively monitoring the latest tax scam campaigns and providing protection for Zscaler customers.