As you have already heard, cyber-thieves from Russia have compromised the IRS Get Transcript website and were able to get records of previous years’ tax filings in order to file fraudulent returns and collect refunds. What was special about this heist is that the IRS servers were not breached directly, but that the attackers were able to use data gathered elsewhere, from lists of identity information bought on the Dark Web, and from other sources. The records on the IRS site were accessed one-at-a-time rather than in the typical batch exfiltration mode. Currently, the Get Transcript site is closed and transcripts can only be ordered by mail. The IRS said on their website:
“These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.
The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.”
Some of the necessary information was acquired by reading a targeted individual’s social networking sites, and from there sites that are publicly accessible. The takeaway here is that we need to be more mindful of the information we are sharing with our friends, connections, and circles online. Some of this information is making it trivially easy for a cyber-attacker to access the online accounts of specifically targeted individuals. We see this coming to play in spearphishing campaigns, where the attacker uses information gathered online to customize the approach email in order to make it more convincing.
The problem with tax refund fraud is two-fold. The first obviously is the loss of revenue to the taxing authorities. States’ Department of Revenue are experiencing a doubling of fraudulent claims this year over last year. The second problem is that if a fraudster has filed a tax return in your name, when you file your legitimate return, the IRS or State Revenue Department will reject your filing, and any refund due you will be tied up in a lengthy fraud mitigation process. One thing you can do as a filer is get your tax records organized and file your return as early in the year as soon as possible. If you are contacted by the IRS, you should also sign up for the credit monitoring service.
- Krebs on Security – States Seek Better Mousetrap to Stop Tax Refund Fraud
- Krebs on Security – Phony Tax Refunds: A Cash Cow for Everyone