Fraudulent 'IRS' Emails Target Social Security Numbers



Fraudulent 'IRS' Emails Target Social Security Numbers

Troy Gill

cyber image

Most phishing attacks we see these days target users login credentials. Credentials that can be used to gain a foothold in an organization to steal data, deploy Ransomware, launch BEC attacks, deliver Conversation Hijacking Attacks and more… However, some attackers are looking to steal other forms of info to be monetized in any number of different ways.

Yesterday we discovered an attack looking to harvest social security numbers. The emails were carefully crafted and customized to the end user and purported to come from the IRS. The recipients full name was included both in the subject and in the body of the message to lend credibility to the attack. It informed the recipient of “important changes in your records” and included an HTML attachment.

IRS phishing email

The page(attachment) delivered in the message was of course IRS branded and simply contained two fields to gather names and corresponding social security numbers.

irs phishing page

The data was being posted to a compromised website as observed below.

Phishing page data post source code

What will they do once they have it?

There are a vast number of ways that this information can then be monetized. Cybercriminals can instantly monetize the data by selling it on underground markets. This would provide them with the quickest path to cashing in. Eventually though, someone (if not them) will attempt to utilize the stolen data in some other way.

Your social security number may be used to commit some sort of financial identity theft. This would include opening fraudulent debt accounts in your name or even committing wire fraud. Your identity may also be used to commit tax related fraud. What better time than now to do so with the current Pandemic situation creating so many unusual tax situations and transactions, attackers thrive on such disorder. Another possibility is that your identity could be used to open utility accounts which you would then be left to sort out after payments become overdue. The attacker may also use your identity to commit medical identity theft. This is where someone uses your identity to receive medical care or goods, an activity that can have a lasting negative impact on your own medical care. In this event, you again may not have any indication that it has taken place until the account has become delinquent and collections locates you.

Of course, all these messages were identified as phishing and were quarantined by our advanced Email Threat Protection. It is still important to note that the IRS will never send this type of communication in an unsolicited manner:

Here is the statement from the IRS website:

“The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”