The HaxMan, not the TaxMan –
Researchers track surge in IRS phishing sites as filing extension deadline arrived.
Enlarge/A fake IRS site used in a set of phishing campaigns observed by Akamai from August to October.
Akamai
Tax return scammers usually strike early in the year, when they can turn the personal information of victims into fraudulent tax refund claims. But members of Akamai’s threat research teamfound a recent surge in “off-season” phishing attacksmasquerading as notices from the Internal Revenue Service, targeting over 100, 00 0 individuals. The attackers used at least 289 different domains hosting fake IRS websites — the majority of them legitimate sites that had been compromised. This wave of attacks came as the October 15 deadline for people who had filed for extensions approached.
According to a post by Akamai’s Or Katz, the phishing campaigns kicked off in the second half of August, with the majority of victims targeted between August 22 and September 5. But the campaigns continued to be launched into early October. Each of the fake websites used visually identical HTML pages, but used randomly generated style tags and other content in an attempt to throw off signature detection by security software.
Most of the domains were active for under 20 days. However, a significant number of them remained active after a month — undetected by the owners of the sites. “The lack of maintenance on legacy websites, as well as the challenges of patching and removing injected content, explains the duration over which phishing pages can remain active,” Katz wrote.
This is consistent withresearch into phishing infrastructure done by Ars, as well asother research by Akamai. Because of their age — and the lack of attention paid to them by their owners, who often pay someone to set them up and then forget about maintaining them — older sites based on “legacy” versions of WordPress and other content management systems are a prime target for phishing operators, as they have a higher reputation score than freshly minted domains. Depending on the degree to which the site is compromised, they can even create subdomains and register their own certificates for the phishing site.
With these sorts of scams propagating all year, it’s worth reminding friends and family that the IRS will not e-mail you or call you about overdue taxes or any other matter — those notices will only come by paper postal mail, usually by certified mail. So just don’t click.
GIPHY App Key not set. Please check settings