Taxing times: Watch out for malicious email campaigns this tax season

Dermot Harnett
Threat Intel
Published in
5 min readMar 30, 2017

It’s the time of year when the thoughts of people in the US turn to one of the less fun facts of life: paying tax.

The US tax filing deadline is April 18, and it’s not just tax accountants who are getting busy. Cybercriminals, who use this time of year and people’s concerns about their tax dealings to carry out scams, are also ramping up activity.

Last year, the Internal Revenue Service (IRS) reported an approximate 400 percent increase in phishing and malware incidents during tax season. In February, it also warned both taxpayers and tax accountants to be wary of phishing scams during the 2017 tax season.

Tax scams are far from a new phenomenon and, indeed, cybercriminals assuming the identity of tax officials is something the IRS says is a problem year round, though scams like this do peak in tax season.

The scammers sending these emails could have a variety of aims:

1) Obtain and then sell on the dark web personally identifiable information (PII), such as Social Security Numbers (SSN), names, addresses, dates of birth, and passwords.

2) Spread malware or link to malware with the goal of infecting an end user’s system. Depending on the the type of malware, it could then steal further information from the victim’s computer, be used to spy on the person, or even add the computer to a botnet.

3) Obtain credit card information to defraud a recipient.

4) Distribute spam to mimic services offered by legitimate tax preparation software companies. This could be another way to get PII from victims, or it could be a way of carrying out click fraud — driving victims to a site where the cybercriminals can generate revenue through clicks on advertisements — to make money for the scammers.

A global issue

When Symantec researchers first started writing about these types of tax-related email scams almost 10 years ago it was primarily a US phenomenon.

This is unsurprising for a number of reasons. The US has a large population and is generally an early adopter of technology, and it is always one of the countries most targeted by scammers and spammers.

Symantec has observed millions of these types of tax-related scam emails in the last decade. However, over the course of that time, the globalization of tax-related spam, malware and phishing emails has occurred. These tax-related email attacks have evolved and are sent globally today in multiple guises.

For example, we have observed scam emails claiming to be from the Australian Tax Office, as well as tax authorities in Ireland, South Africa, and Canada.

Tax scam techniques used worldwide

Australia:

  • Malware is sent attached to an email with the subject line “Australian Taxation Application”. The attachment has the name format “australian_taxation_office_application_xx.zip”. Aim of malware appears to be to add the computer to a botnet.

Ireland:

  • Tax-related phishing emails originating from Chinese, Australian, and Turkey IP spaces have been observed.
  • Sender of the emails is officecust-xxxx@revenue.ie, with the subject line “Tax Refund Invoice Ref#”.

South Africa:

  • Free-to-create websites and URL shorteners used in tax phishing emails.
  • Emails claim to originate from refund@sars.gov.za, with the subject line “SARS Tax Refund Rsxxx”.

Canada:

  • Subtle obfuscation techniques are being used in Canadian tax phishing subject lines in an attempt to evade email blocking, which may be looking for an exact subject line.
  • Techniques include the rotation and substitution of words in a sentence or the inclusion of random jibberish within the subject line. Examples of subject lines where words are being rotated and substituted include: “Canadian Residents and Non-resident individuals Tax Refund form” and “Canadian Resident individuals and Non-residents Tax Refund letter”.

UK and USA:

  • In the US and UK, tax scam and phishing emails are often crafted to look like legitimate emails from the relevant tax authorities, including the use of official logos.

Big business

In the US, tax is big business, which is another reason it is unsurprising to see this area targeted by scammers. The IRS collected more than $405 billion in the state of California alone in 2015, which provides an indication of the sums of tax money being collected. Meanwhile, one US-based tax preparation software company has a market cap of more than $30 billion dollars.

The attention that the US receives in relation to tax-related spam, malware and phishing emails means that we can infer that the gangs behind these attacks believe a significant return can be made in this region.

Top subject lines

Symantec’s Email Detection Systems have already detected a number of tax-related spam campaigns and scam emails in 2017.

The top subject lines used in the spam campaigns observed include offers to join a “fresh start tax program” and information about tax debt relief.

Top 10 US tax-related spam email subject lines so far in 2017

  1. IRS fresh start tax program
  2. E-file your IRS tax return for free
  3. File your tax return for free
  4. Start your tax return today
  5. Eligibility for fresh start tax program
  6. Qualify for tax debt relief?
  7. Learn about tax debt relief programs
  8. Do you qualify for tax debt help?
  9. IRS announces new programs for taxes owed
  10. Eligible for tax debt resolution

The subject lines used in phishing emails or those carrying malware use words like “urgent” in an effort to encourage the recipients to open the emails.

Top 5 US tax-related phishing and malware email subject lines so far in 2017

  1. ATTN: Tax payer rejection code
  2. Please note — IRS urgent message
  3. Realty tax arrears — IRS
  4. IRS urgent notification
  5. IRS tax refund notification

US 2017 tax season phishing attack

One of the more recent interesting US tax-related phishing attacks occurred at the start of March.

This attack was notable for a number of reasons:

1) The relatively large number of messages sent in a short space of time

2) The use of a mutating link (a link that changes constantly), and a WordPress site that has previously been used in phishing attacks

3) Phishing emails originating primarily from Iran, Pakistan, Turkey and India IP spaces

Timeline of the “Dick Richardson” attack, looking at the number of messages sent every five minutes. At its peak almost 3,000 messages were sent in a five-minute period.

The message itself claimed to come from a “Dick Richardson”, an officer of the Internal Revenue Service. The campaign saw 72,000 messages sent in less than 24 hours, and at its peak hit almost 3,000 messages distributed within a five-minute window.

The email that was sent as part of the “Dick Richardson” phishing campaign

Remember

· In the last decade, tax collection agencies such as the IRS and the Australian Tax authority have created detailed resources on how to identify and report tax scams. These are worth reading and keeping in mind when entering into any correspondence with tax authorities.

· Report any suspicious emails claiming to be from the IRS to phishing@irs.gov.

· Practice good email hygiene: Be wary of clicking on URL links and opening attachments.

· For US taxpayers, remember that the filing deadline for 2016 tax returns is Tuesday, April 18, 2017.

--

--