With just over a month until Tax Deadline Day, individuals are scrambling to get their tax returns submitted. This is a proven time of the year for cybercrime, and 2018 has been no exception. The Internal Revenue Service has already outlined new scams targeting consumers this year. Criminals have once again used tax themes as lures to spread malware, as was the case with the Rapid Ransomware campaign.

Tax Fraud in 2018

Tax fraud endures despite countermeasures and increased awareness of the threat. This is largely due to the extent of personally identifiable information (PII) available online. Social Security Numbers (SSNs) are widely advertised and can be purchased for as little as $1; Figure 1 shows a criminal site selling 4,210,341 SSNs, which also include associated names, physical addresses and dates of birth.

Figure 1: Social Security Numbers for sale on cvv[.]me


The Equifax breach in 2017 led to the theft of PII belonging to at least 145 million individuals. Recent revelations suggest that that attackers may have also stolen tax identification numbers, additional driver’s license and credit card details. While it is not clear whether the breach had been conducted by cybercriminals or a nation-state, this data – should it eventually find its way into the criminal market – would provide a wealth of opportunities for tax fraudsters.

Acquiring Tax Information

Tax information – such as W2, 1040 and 1099 forms, as well as company accounts – is valuable data for cybercriminals. This information can be obtained through network intrusions, phishing, and Business Email Compromise. The latter technique typically works by impersonating an employee within the organization. In this tax version of the scam, the victim is asked to transfer tax documents instead of wiring funds. With this data, criminals can then commit fraud or resell the data.

Attackers can also acquire this information through scampages. Tax filing companies are particular targets of these phishing attempts. A recent example of this is turbotax-myintuit[.]com, an imitation of the legitimate turbotax[.]intuit[.]com. While the site is not yet hosting content, it has the potential to be used in phishing campaigns.

At this time of year, fraudsters take to forums requesting help with getting tax information for their scams; meanwhile, more technically capable actors look to profit by providing their services and expertise. In Figure 2, a criminal forum user asks for help in obtaining the relevant documents needed to submit their fraudulent tax return, while in Figure 3 a seller openly advertises their “Hacking Services”, which includes the ability to procure W2 forms.

Figure 2: User on Hack Forums looking to buy W2 and 1040 tax forms (screenshot taken on February 27, 2018)


Figure 3: Seller on Offensive Community forum advertising hacking services


Purchasing Information Online

For a little as $40-50, criminals can bypass these procedures altogether and buy these documents on criminal forums and marketplaces. These include stolen, pre-filled and forged forms (Figure 4), as well as specialist guides for conducting tax return fraud (Figure 5).

Figure 4: Forged W2 form advertised for $52 on Dream Market


Figure 5: Tax return fraud cashout guide for sale on Wall Street marketplace


Social Security Numbers are ubiquitous across dark and deep web marketplaces and criminal shops. In some instances, as seen in Figures 6 and 7, vendors will offer packages that have a range of data on individuals. This can be partial PII or “fullz”, a term that means a combination of financial and personal information. The latter is more valuable for threat actors, but partial of PII can also be used to commit a range of identity frauds, including falsified tax returns.

Figure 6: W2 and SSN information for sale on Wall Street, a darkweb marketplace


Figure 7: “Full profiles” advertised on Dream Market, a dark web marketplace. The posting includes W2 forms, pay-stubs and Social Security Numbers


Of course, there are security measures that make tax fraud more difficult for criminals, such as the IP PIN that is issued to many taxpayers by the IRS. Despite the IRS being vulnerable to compromise in previous years, the system is now more resilient to exposing that information to fraudsters (there is no longer a web interface for forgotten PINs with easy-to-answer questions, for example).

Capitalizing on Dediks

Fraudsters can target the accounts of tax filing companies without the need for phishing or scam pages. In Figure 8, one forum user seeks partners that have control of computers with these pieces of software installed. The term “Dedik” is an abbreviation of “dedicated”, which is used to describe a computer under remote control of a hacker. With control of users’ computers that have this software, malicious actor can capture keystrokes and ultimately gain access to the user accounts.

Figure 8: Actor on a Russian-speaking forum seeking individuals with access to computers that have tax preparation software present (screenshot taken on February 27, 2018)


Staying Safe Online

With actors looking to monetize the vast amount of PII available online during tax season, consumers, organizations and tax filing companies should be extra-vigilant about fraudulent activity. Here are some tips:

  1. Consumers should submit an Identity Theft Affidavit if you have been the victim of identity theft.
  2. IRS provides some great resources for understanding the latest techniques used by attackers, which you can access here, or by following @irstaxpros on Twitter.
  3. Organizations should consider that BEC can be for information as well as to wire funds. Update your security awareness training content to include the BEC scenario. This should be included in new hire training, but you should conduct ad hoc training for this scenario now.
  4. Tax filing companies should monitor for spoofed domains. DNS Twist is a good, free resource to do so.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows (now ReliaQuest).


Photon logo small