After a three month extension, tomorrow marks tax deadline day for the United States. While it may seem that tax fraud is not as widely reported as in previous years, tax-related fraud continues to be a popular approach for cybercriminals. 

Using Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection), I searched across criminal forums and marketplaces to see the types of goods, services, and accesses being offered this year. You can see a broad distribution of discussions in the chart below, but I’ll draw out three key themes in this blog: W-2 forms, access to systems, and exposed credentials.

 Tax-related keywords across criminal forums and dark web
Fig 1 – Mentions of tax-related keywords across criminal forums and dark web marketplaces since 1 January 2020

2020 W-2 Forms For Sale

When it comes to tax fraud, W-2 forms are an understandably popular commodity. While tax forms themselves are not sensitive, threat actors typically seek them for the sensitive personal information they contain. Tax documents act as a singular repository of data that include full legal names, birthdates, social security numbers, and other details that can be used for a variety of purposes, such as identity theft and financial fraud. Every year, we see a host of different vendors purporting to sell the latest W-2 forms. The screenshot below is a posting from a vendor named “leaguemode” on the Apollon marketplace. Leaguemode is selling W-2 forms for $70, and the posting suggests that this has sold 14 times. While it is impossible to verify the legitimacy of the listing, the 99% positive feedback and tenure adds credibility.

Tax informationon the Apollon
Fig 2 – Tax information offered on the Apollon dark web marketplace

It is worth noting that the future of Apollon marketplace is unknown, with rumors previously circulating about an exit scam. You can read more about that in our previous blog:

Selling Access

In our Account Takeover research, From Exposure to Takeover, we analyzed some of the types of accounts for sale on top tier cybercriminal forums. Those that went for the highest prices were those offering privileged accounts, like administrator accounts. Not only do they give access to a network, but they feature the highest levels of control and trust, and their permissions are nigh unlimited. A person using a privileged account could change system configuration settings, read and modify sensitive data, or give other users access to critical assets. Unsurprisingly, some of the most expensive were for finance, tax and payroll companies, as shown in Figure 3. 

Selling Access to a tax and payroll business
Fig 3 – Selling Access to a tax and payroll business

In some instances, this is not simply to a tax company. Rather, threat actors are selling access to tax preparation software owned by other companies. You can see one vendor selling access to Tax Lacerte and TurboTax instances for $1,000 and $400 respectively in the figures below.

Selling Access to tax preparation software
Fig 4 – Selling Access to tax preparation software
Fig 5 - Selling Access to tax preparation software
Fig 5 – Selling Access to tax preparation software

Inboxes Exposed

There may even be easier ways to access company’s sensitive financial information. In From Exposure to Takeover, we analyzed some of the usernames from our breach repository. We found that more than 2 million of them contained email addresses and usernames related to departments that deal with sensitive information―think addresses like [email protected] or [email protected].

Email addresses containing “invoice” or “invoices” were by far the most common, accounting (pun intended) for 66 percent of those 2 million credentials. “Partners” and “payments” were tied for second place, both with 10 percent. Just imagine the type of data sitting in accounting inboxes! An attacker who gets their hands on credentials for valid accounts could inflict untold damage: logging in to internal databases, exfiltrating sensitive data or launching social-engineering attacks (e.g. business email compromise).

Most popular exposed accounting inboxes
Fig 6 – Most popular exposed accounting inboxes

Fraud Persisting in 2020

There has been plenty to distract us from tax fraud in 2020, but this blog demonstrates that cybercriminals appetite for tax fraud has not disappeared.