The Dirty Dozen Tax Scams of 2008

The IRS has been in the news recently because it's name has been impersonated (spoofed) to phish personal and financial information from people tricked into believing the IRS was going to send them money.

Another recent phishing lure spoofing the IRS name was the upcoming economic stimulus package being promised to the tax paying public. In this case, (too good to be true) promises of money were being sent out by spam spewing zombie computers before the details were finalized in the halls of Congress.

These spam spewing zombie computers are part of a botnet. Botnets are controlled by bot-herders, who are known to rent their services to a wide variety of Internet misfits. Bot-herders often use their botnets to commit criminal activity themselves, also.

Zombie computers are created after their owner clicks on a link in a spam e-mail containing malicious software engineered to take control of their system. In the recent past, there have even been examples of malware being injected into a system after just visiting an infected site.

Please note that most of these phishing ploys are designed to clean out your bank account, run up your credit cards, and or allow a criminal to use your good name to obtain additional lines of credit. The fact that they often turn your computer into a zombie is considered an add-on value to the criminal, who can then use your system to deliver spam (scams) to other unsuspecting people.

Today, the IRS issued it's yearly Dirty Dozen Tax Schemes. Since Internet scammers have been so fond of using the IRS's name, I thought this would be a good subject to blog about.

Please note that from time to time, I get anonymous inquiries about where to report tax fraud in the comments section. I've included information oh how to do this at the bottom if this post.

The IRS is sometimes willing to pay a reward for information leading to the successful resolution of an investigation. Your identity is protected if you choose to remain anonymous, also.

From the press release:

The Internal Revenue Service today issued its 2008 list of the 12 most egregious tax schemes and scams, highlighted by Internet phishing scams and several frivolous tax arguments.

Topping this year’s list of scams is phishing, which encompasses numerous Internet-based ploys to steal financial information from taxpayers. New to the “Dirty Dozen” this year is a scheme, which IRS auditors discovered, that relates to unreasonable and/or excessive fuel tax credit claims.

Here is the Dirty Dozen hot off the official press release:

1. Phishing

Phishing is a tactic used by Internet-based thieves to trick unsuspecting victims into revealing personal information they can then use to access the victims’ financial accounts. These criminals use the information obtained to empty the victims’ bank accounts, run up credit card charges and apply for loans or credit in the victims’ names. Phishing scams often take the form of an e-mail that appears to come from a legitimate source. Some scam e-mails falsely claim to come from the IRS. To date, taxpayers have forwarded more than 33,000 of these scam e-mails, reflecting more than 1,500 different schemes, to the IRS. The IRS never uses e-mail to contact taxpayers about their tax issues. Taxpayers who receive unsolicited e-mail that claims to be from the IRS can forward the message to a special electronic mailbox, phishing@irs.gov, using instructions contained in an article titled “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes.” Remember: the only official IRS Web site is located at www.irs.gov.

2. Scams Related to the Economic Stimulus Payment

Some scam artists are trying to trick individuals into revealing personal financial information that can be used to access their financial accounts by making promises relating to the economic stimulus payment, often called a “rebate.” To obtain the payment, eligible individuals in most cases will not have to do anything more than file a 2007 federal tax return. But some criminals posing as IRS representatives are trying to trick taxpayers into revealing their personal financial information by falsely telling them they must provide information to get a payment. For instance, a potential victim is told by phone or e-mail that he or she is eligible for a rebate but must provide a bank account number (or similar information) to get the payment. If the target is unwilling, the victim is then told that he cannot receive the rebate unless the information is provided. Individuals should remember that the only way to get a stimulus payment is to file a 2007 tax return. The IRS urges taxpayers to be extra-vigilant. The IRS will not contact taxpayers by phone or e-mail about their stimulus payment.

3. Frivolous Arguments

Promoters of frivolous schemes encourage people to make unreasonable and unfounded claims to avoid paying the taxes they owe. Most recently, the IRS expanded its list of frivolous legal positions that taxpayers should stay away from. Taxpayers who file a tax return or make a submission based on one of these positions on the list are subject to a $5,000 penalty. The most recent update of the list of frivolous positions includes: misinterpretation of the 9th Amendment to the U.S. Constitution regarding objections to military spending, erroneous claims that taxes are owed only by persons with a fiduciary relationship to the United States, a nonexistent “Mariner’s Tax Deduction” related to invalid deductions for meals and the misuse of the fuel tax credit (see below). The complete list of frivolous arguments is on the IRS Web site at IRS.gov.

4. Fuel Tax Credit Scams

The IRS is receiving claims for the fuel tax credit that are unreasonable. Some taxpayers, such as farmers who use fuel for off-highway business purposes, may be eligible for the fuel tax credit. But some individuals are claiming the tax credit for nontaxable uses of fuel when their occupation or income level makes the claim unreasonable. Fraud involving the fuel tax credit was recently added to the list of frivolous tax claims, potentially subjecting those who improperly claim the credit to a $5,000 penalty.

5. Hiding Income Offshore

Individuals continue to try to avoid paying U.S.taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore debit cards, credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance plans. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions.

6. Abusive Retirement Plans
The IRS continues to uncover abuses in retirement plan arrangements, including Roth Individual Retirement Arrangements (IRAs). The IRS is looking for transactions that taxpayers are using to avoid the limitations on contributions to Roth IRAs. Taxpayers should be wary of advisers who encourage them to shift appreciated assets into Roth IRAs or companies owned by their Roth IRAs at less than fair market value. In one variation of the scheme, a promoter has the taxpayer move a highly appreciated asset into a Roth IRA at cost value, which is below annual contribution limits even though the fair market value far exceeds the amount allowed.

7. Zero Wages

Filing a phony wage- or income-related information return to replace a legitimate information return has been used as an illegal method to lower the amount of taxes owed. Typically, a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 is used as a way to improperly reduce taxable income to zero. The taxpayer also may submit a statement rebutting wages and taxes reported by a payer to the IRS. Sometimes fraudsters even include an explanation on their Form 4852 that cites statutory language on the definition of wages or may include some reference to a paying company that refuses to issue a corrected Form W-2 for fear of IRS retaliation. Taxpayers should resist any temptation to participate in any of the variations of this scheme.

8. False Claims for Refund and Requests for Abatement

This scam involves a request for abatement of previously assessed tax using Form 843, “Claim for Refund and Request for Abatement.” Many individuals who try this have not previously filed tax returns. The tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses Form 843 to list reasons for the request. Often, one of the reasons given is "Failed to properly compute and/or calculate Section 83-Property Transferred in Connection with Performance of Service."

9. Return Preparer Fraud

Dishonest tax return preparers can cause many problems for taxpayers who fall victim to their schemes. These scam artists make their money by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Some preparers promote the filing of fraudulent claims for refunds on items such as fuel tax credits to recover taxes paid in prior years. Taxpayers should choose carefully when hiring a tax preparer, especially one who promises something that seems too good to be true.

10. Diguised Corporate Ownership

Some people are going as far as forming domestic shell corporations in certain states for the purpose of disguising the ownership of a business or financial activity. Once formed, these anonymous entities can be used to facilitate underreporting of income, non-filing of tax returns, engaging in listed transactions, money laundering, financial crimes and even terrorist financing. The IRS is working with state authorities to identify these entities and to bring the owners of these entities into compliance.

11. Misuse of Trusts

For years, unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

12. Abuse of Charitable Organizations and Deductions

The IRS continues to observe the misuse of tax-exempt organizations. Misuse includes arrangements to improperly shield income or assets from taxation, attempts by donors to maintain control over donated assets or income from donated property and overvaluation of contributed property. In addition, IRS examiners are seeing an upturn in instances where taxpayers try to disguise private tuition payments as contributions to charitable or religious organizations.

As promised above, here is how you can report one of these scams:

Suspected tax fraud can be reported to the IRS using IRS Form 3949-A, Information Referral. Form 3949-A is available for download from the IRS Web site at IRS.gov. The completed form or a letter detailing the alleged fraudulent activity should be addressed to the Internal Revenue Service, Fresno, CA 93888. The mailing should include specific information about who is being reported, the activity being reported, how the activity became known, when the alleged violation took place, the amount of money involved and any other information that might be helpful in an investigation. The person filing the report is not required to self-identify, although it is helpful to do so. The identity of the person filing the report can be kept confidential.

Whistleblowers also could provide allegations of fraud to the IRS and may be eligible for a reward by filing Form 211, Application for Award for Original Information, and following the procedures outlined in Notice 2008-4, Claims Submitted to the IRS Whistleblower Office under Section 7623.

Full press release on the 2008 Dirty Dozen Scams, here.

0 comments

The IRS must be a great lure to go phishing and vishing with!

It should be no surprise that scam artists, fraudsters and other internet misfits are trying to cash in on the economic stimulus package being proposed by the powers that be in Washington.

The odd thing is the come-on, a tax rebate, hasn't even been approved yet.

The most accurate information I could find on this latest trend was from the IRS, who is being impersonated once again. They've gained considerable experience with this type of scam recently with their name being used (frequently) as a fake "badge of authority" (lure) to trick people into becoming an identity theft statistic.

From the IRS site (published on January 30th):

The Internal Revenue Service today warned taxpayers to beware of several current e-mail and telephone scams that use the IRS name as a lure. The IRS expects such scams to continue through the end of tax return filing season and beyond.

The IRS cautioned taxpayers to be on the lookout for scams involving proposed advance payment checks. Although the government has not yet enacted an economic stimulus package in which the IRS would provide advance payments, known informally as rebates to many Americans, a scam which uses the proposed rebates as bait has already cropped up.

The goal of the scams is to trick people into revealing personal and financial information, such as Social Security, bank account or credit card numbers, which the scammers can use to commit identity theft.

The bottom line is that the IRS is not going to send you an e-mail, or call you on the telephone asking for personal information.

Trust me, they already have it if you are due to receive money from them!

Variations of the recent scams include a tax rebate phone call, refund spam e-mail, audit e-mail (besides money fear is a common lure), changes to tax law e-mail, and a telephone scam claiming the IRS has sent a paper check and needs to verify your banking information.

So far as the e-mails, they sometimes contain links that load malicious software (designed to steal more information). Although not mentioned in the IRS release, a new phenomenon called "drive by pharming" was recently seen in the wild (on the Internet).

Here is what I wrote about "drive by pharming" in a previous post:

"Pharming (pronounced farming) is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software," according to Wikipedia.

Spam e-mail is becoming more dangerous all the time. Most of these lead to fake websites, or blogs that can download malware on a system by merely visiting them.

So far as the surge in using the telephone to scam information, often referred to as vishing -- VoIP technology (super cheap long distance) has made this easy to do. From what I hear, a lot of it is being done across International borders, which makes prosecution difficult, also.

The IRS release warns that the caller might sound foreign. This is a good tip, but with call centers being outsourced all over the world, it's becoming pretty common to speak to someone on the telephone with an accent.

The safest bet is to give out no personal information to anyone, no matter how official they might seem when they it solicit via telephone, or over the Internet.

The press release does offer resources to report any suspected scams. Please note, that paragraph one is an extremely good tip!

Anyone wishing to access the IRS Web site should initiate contact by typing the IRS.gov address into their Internet address window, rather than clicking on a link in an e-mail or opening an attachment.

Those who have received a questionable e-mail claiming to come from the IRS may forward it to a mailbox the IRS has established to receive such e-mails, phishing@irs.gov, using instructions contained in an article titled “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes.” Following the instructions will help the IRS track the suspicious e-mail to its origins and shut down the scam. Find the article by visiting IRS.gov and entering the words “suspicious e-mails” into the search box in the upper right corner of the front page.

I know a lot of us simply hit delete when we see this stuff, but if it didn't work, the phishermen wouldn't keep doing it. We should all consider reporting it a "act of kindness" towards those, who might fall for this.

The people at the IRS fighting this could certainly use the HELP! It might eventually lead to the people behind this being held accountable.

Those who have received a questionable telephone call that claims to come from the IRS may also use the phishing@irs.gov mailbox to notify the IRS of the scam.

IRS release, here.

Previous posts about the IRS being used as a lure from this blog, here.

0 comments

IRS name used to phish for ID theft victims, again!

Government agencies and trusted brands are often spoofed (impersonated) in phishing attempts, which are social engineering ploys to steal personal and financial information, and or download cybernasties (malware, crimeware) on your system. Please note the cybernasties normally steal information from your computer, also.

The information culled from you, or your computer is then used to make YOU an identity theft statistic.

In the past couple of years, spoofing the IRS has become an old story, but they keep on doing it.

Here are the most recent updates on IRS phishing scams:

Updated Aug. 24, 2007 — The Internal Revenue Service today warned taxpayers of a new phishing scam, in which an e-mail purporting to come from the IRS advises taxpayers they can receive $80 by filling out an online customer satisfaction survey. The IRS urges taxpayers to ignore this solicitation and not provide any requested information. The IRS does not initiate contact with taxpayers through e-mail.

Updated June 19, 2007 — In another recent scam, consumers have received a "Tax Avoidance Investigation" e-mail claiming to come from the IRS' "Fraud Department" in which the recipient is asked to complete an "investigation form," for which there is a link contained in the e-mail, because of possible fraud that the recipient committed. It is believed that clicking on the link may activate a Trojan Horse.

Full IRS press release on this matter, here.

Phishing isn't limited to impersonating the IRS, the APWG (Anti-Phishing Working Group) tracks this ever growing problem and offers advice on how to avoid getting hooked, here.

Previous posts about phishing attempts impersonating the IRS can be seen, here.

0 comments

IRS Phishing Scam lures victims with a donation plea for the Southern California Fires

In an apparent scam that packs a double whammy, the IRS is being impersonated in a spoofed e-mail requesting donations for the recent Southern California fires.

From the IRS press release:

The Internal Revenue Service today warned taxpayers to be on the lookout for a new e-mail scam that appears to be a solicitation from the IRS and the U.S. government for charitable contributions to victims of the recent Southern California wildfires.

In an effort to appear legitimate, the bogus e-mails include text from an actual speech about the wildfires by a member of the California Assembly.

The scam e-mail urges recipients to click on a link, which then opens what appears to be the IRS Web site but which is, in fact, a fake. An item on the phony Web site urges donations and includes a link that opens a donation form which requests the recipient’s personal and financial information.

It appears that in this scam, people are being solicited for both money and their personal information.

The IRS is warning that this is likely to make them a victim of identity theft, and that providing any personal and financial information is likely to result in a person having a lot more money taken from them than they intended to give:

The bogus e-mails appear to be a “phishing” scheme, in which recipients are tricked into providing personal and financial information that can be used to gain access to and steal the e-mail recipient’s assets.

The IRS also believes that clicking on the link downloads malware, or malicious software, onto the recipient’s computer. The malware will steal passwords and other account information it finds on the victim's computer system and send them to the scamster.

Generally, scamsters use the data they fraudulently obtain to empty the recipient’s bank accounts, run up charges on the victim’s existing credit cards, apply for new loans, credit cards, services or benefits in the victim’s name or even file fraudulent tax returns to obtain refunds rightfully belonging to the victim.

If you happen to run into one of these spoofed e-mails, here is something you can do to help the IRS and people, who might fall for this:

Recipients of the scam e-mail can help the IRS shut down this scheme by forwarding the e-mail to an electronic mail box, phishing@irs.gov, using instructions found in “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes” on this site. This mail box was established to receive copies of possibly fraudulent e-mails involving misuse of the IRS name, logo or Web site for investigation.

IRS press release on the latest spoof using their name, here.

Fraudsters have been using the IRS name to scam people on an ongoing basis. Frequently, the name of other government agencies are used as a badge of authority by scammers, also.

Other posts regarding this phenomenon can be seen, here.

Governor Schwarzenegger in California stated that there will be zero tolerance for fraud in wake of the fires. His press release, along with numbers to report suspected fraud can be seen, here.

Sadly, whenever disaster strikes, scammers of all sorts pop out of the woodwork to steal money from people.

In case you don't have time to link to the press release, the number is 800-952-5210.

0 comments

Symantec May Spam Report reveals IRS e-mail leads to vampire game?

Symantec just released it's monthly spam report. I always find these reports a valuable tool to see exactly what trends the cybercriminal and less than ethical e-commerce communities have been up to in the past month.

Although most of us view spam as a major nuisance, the fact remains that spam is the preferred vehicle of marketing garbage and ripping off human beings on the Internet.

This month continues a nasty trend where spammers and phishermen (identity and information thieves) continue to manipulate Google's search engine:

For some time, spammers have used reputable brands to try and deliver spam and phishing messages to end-users. In the last year, Google has become a favorite target for some spammers. In November 2007, Symantec reported the emergence of a technique where spammers manipulated Google’s advanced search query and the “I’m feeling lucky” option to direct users to a spam site. In February 2008, Symantec reported that spammers had manipulated parameters in Google URLs used for AdSense and redirected unsuspecting end-users to a spam website. In April 2008 phishing emails purporting to come from the Google AdWords service have emerged. Google AdWords is a service that allows advertisers to intelligibly connect with individuals who search using Google. In the Google AdWords phishing samples that have emerged, the end-user is encouraged to click on a link to update their billing information and/or renew their account. The link in these phishing emails leads to a fraudulent website where personal information is requested and harvested.

Spear phishing, where specific people are targeted arrived in inboxes in the form of fake government subpoenas addressed to corporate executives. Also seen were come-ons to become a movie star, spam being sent in the form of instant messages and the 419 (Advance Fee) boys inserting calendar reminders in their spam to remind people send them their money.

While closely related to the long known use of job sites to gather information to commit identity theft, a new twist has been noted where professional networking sites are used for this purpose, also.

From the May report:

One of the side effects stemming from the growth of personal and professional networking sites is the increase in unsolicited emails that operate under the guise of connecting business professionals with their peers. The recipient is asked to join the “inner circle” and is encouraged to supply the network with their professional history by clicking on a URL which brings the user to a registration page. The page requests personal information that could be used for identity theft and could fuel future spam attacks.

In these monthly reports, Symantec normally has one twist with a particularly ghoulish or amusing angle. This month is no exception and they are reporting an IRS spam campaign that leads to a site where you can raise a vampire from the dead:

This time, instead of the refund link taking you to a site to steal your credentials, the link takes you to a popular web-based game in which you incarnate a vampire. The vampire gains more power every time end-users click on his link. It’s a rough, dark world out there… be warned.

I found this especially ironic because scammers and spammers are often referred to as ghouls or vampires when being described in literary terms. So far as the connection to all of this with the IRS, I'll leave that to the reader's imagination.

The IRS having their name spammed is nothing new. As predicted, there is an IRS spam (phishing) campaign going on right now using the tax stimulus program as a come-on to steal personal and financial information, which will probably be used to commit financial crimes. I'm predicting this might be a topic of interest on the June Spam Report.

The full report on the State of Spam for the month of May may be seen courtesy of Symantec, here.

0 comments

The Phishermen keep using the IRS name to hook Phish (Identity Theft Victims)

Phishing has become a huge problem. Criminals (phishermen) spoof (impersonate) a brand or organization that people trust to trick people into giving up their personal, or financial information. The information is then used to steal money.

In the more sophisticated attempts, malware (crimeware) is dropped on a system that logs keystrokes, gathering even more personal information, without the computer owner's knowledge, or consent.


The phishermen have been spoofing the IRS so frequently, the IRS set up a dedicated e-mail address to report activity. The address is phishing@irs.gov (follow the instructions).


The most recent version is a spam e-mail intended to scare a person into thinking they are being investigated. Here is what the IRS site is reporting:

The e-mail purporting to be from IRS Criminal Investigation falsely states that the person is under a criminal probe for submitting a false tax return to the California Franchise Tax Board. The e-mail seeks to entice people to click on a link or open an attachment to learn more information about the complaint against them. The IRS warned people that the e-mail link and attachment is a Trojan Horse that can take over the person’s computer hard drive and allow someone to have remote access to the computer.

Trojan horses are often a gateway to install malware -- sometimes referred to as crimeware -- which often includes keylogging software. The bottom line is that once installed on a computer, they have the ability to steal personal and financial details, from afar, without any additional assistance from you.


All the terms out there get confusing to non-technical people, there are some now saying, we should group some of the terms together and call it "grayware?" Another term to group some of this terminology together is "badware."


Similar technology is used for advertising and marketing purposes by legitimate businesses, also. This is often referred to as spyware and adware. The one thing they all have in common is that they are often a nuisance.


The key is to NOT even open the spam e-mails enticing you to click on their links. The best practice is to delete them. These e-mails are generated by the millions, perhaps billions by now, using automated software and botnets (other people's computers that have been taken over).


Spam filters designed to stop them from getting in your inbox, seem like they are getting less effective, recently.


Botnet owners are known to rent out their networks to other criminals for this purpose.


Sadly enough, the IRS name has been being spoofed a lot lately. Here is the extent of it:

Since the establishment of the mail box last year, the IRS has received more than 17,700 e-mails from taxpayers reporting more than 240 separate phishing incidents. To date, investigations by TIGTA have identified host sites in at least 27 different countries, as well as in the United States.

The phishermen often impersonate financial institutions, eBay, PayPal, or government agencies; such as the FBI and Interpol.


The latest alert from the IRS can be seen, here.

0 comments

Don't be lured with promises of something too good to be true when filing your taxes

Tax season brings with it all kinds of fraud. A lot of immoral sorts try to get someone to fall for something that's too good to be true. They get away with it because people are afraid of what they might owe, or they take advantage of what I call the "greed factor."

One thing is certain, if you fall for their promises, you're going to be left holding the bag. This means financial hardship (at a minimum) and could mean incarceration (jail).

I firmly believe that education is the best weapon against fraud. And the best places to educate yourself about tax fraud is none other than the IRS website, itself.

They keep a close eye on trends involving tax fraud and publish the information for free.

On February 7th, they published the 2007 "Dirty Dozen Tax Scams."

Here are the 12 most prevalent scams, according to the IRS:

1. Zero Wages. In this scam, new to the Dirty Dozen, a taxpayer attaches to his or her return either a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 that shows zero or little wages or other income. The taxpayer may include a statement indicating the taxpayer is rebutting information submitted to the IRS by the payer. An explanation on the Form 4852 may cite "statutory language behind IRC 3401 and 3121" or may include some reference to the paying company refusing to issue a corrected Form W-2 for fear of IRS retaliation. The Form 4852 or 1099 is usually attached to a “Zero Return.” (See number four below.)

2. Form 843 Tax Abatement. This scam, also new to the Dirty Dozen, rests on faulty interpretation of the Internal Revenue Code. It involves the filer requesting abatement of previously assessed tax using Form 843. Many using this scam have not previously filed tax returns and the tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses the Form 843 to list reasons for the request. Often, one of the reasons is: "Failed to properly compute and/or calculate IRC Sec 83––Property Transferred in Connection with Performance of Service."

3. Phishing. Phishing is a technique used by identity thieves to acquire personal financial data in order to gain access to the financial accounts of unsuspecting consumers, run up charges on their credit cards or apply for new loans in their names. These Internet-based criminals pose as representatives of a financial institution and send out fictitious e-mail correspondence in an attempt to trick consumers into disclosing private information. Sometimes scammers pose as the IRS itself. In recent months, some taxpayers have received e-mails that appear to come from the IRS. A typical e-mail notifies a taxpayer of an outstanding refund and urges the taxpayer to click on a hyperlink and visit an official-looking Web site. The Web site then solicits a social security and credit card number. In a variation of this scheme, criminals have used e-mail to announce to unsuspecting taxpayers they are “under audit” and could make things right by divulging selected private financial information. Taxpayers should take note: The IRS does not use e-mail to initiate contact with taxpayers about issues related to their accounts. If a taxpayer has any doubt whether a contact from the IRS is authentic, the taxpayer should call 1-800-829-1040 to confirm it.

4. Zero Return. Promoters instruct taxpayers to enter all zeros on their federal income tax filings. In a twist on this scheme, filers enter zero income, report their withholding and then write “nunc pro tunc”–– Latin for “now for then”––on the return. They often also do this with amended returns in the hope the IRS will disregard the original return in which they reported wages and other income.

5. Trust Misuse. For years unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits, and the IRS is actively examining these arrangements. There are currently more than 200 active investigations underway and three dozen injunctions have been obtained against promoters since 2001. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

6. Frivolous Arguments. Promoters have been known to make the following outlandish claims: the Sixteenth Amendment concerning congressional power to lay and collect income taxes was never ratified; wages are not income; filing a return and paying taxes are merely voluntary; and being required to file Form 1040 violates the Fifth Amendment right against self-incrimination or the Fourth Amendment right to privacy. Don’t believe these or other similar claims. These arguments are false and have been thrown out of court. While taxpayers have the right to contest their tax liabilities in court, no one has the right to disobey the law.

7. Return Preparer Fraud. Dishonest return preparers can cause many headaches for taxpayers who fall victim to their schemes. Such preparers derive financial gain by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Taxpayers should choose carefully when hiring a tax preparer. As the old saying goes, “If it sounds too good to be true, it probably is.” And remember, no matter who prepares the return, the taxpayer is ultimately responsible for its accuracy. Since 2002, the courts have issued injunctions ordering dozens of individuals to cease preparing returns, and the Department of Justice has filed complaints against dozens of others. During fiscal year 2005, more than 110 tax return preparers were convicted of tax crimes.

8. Credit Counseling Agencies. Taxpayers should be careful with credit counseling organizations that claim they can fix credit ratings, push debt payment plans or impose high set-up fees or monthly service charges that may add to existing debt. The IRS Tax Exempt and Government Entities Division is in the process of revoking the tax-exempt status of numerous credit counseling organizations that operated under the guise of educating financially distressed consumers with debt problems while charging debtors large fees and providing little or no counseling.

9. Abuse of Charitable Organizations and Deductions. The IRS has observed increased use of tax-exempt organizations to improperly shield income or assets from taxation. This can occur, for example, when a taxpayer moves assets or income to a tax-exempt supporting organization or donor-advised fund but maintains control over the assets or income, thereby obtaining a tax deduction without transferring a commensurate benefit to charity. A “contribution” of a historic facade easement to a tax-exempt conservation organization is another example. In many cases, local historic preservation laws already prohibit alteration of the home’s facade, making the contributed easement superfluous. Even if the facade could be altered, the deduction claimed for the easement contribution may far exceed the easement’s impact on the value of the property.

10. Offshore Transactions. Despite a crackdown by the IRS and state tax agencies, individuals continue to try to avoid U.S. taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance to do so. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions. During fiscal 2005, 68 individuals were convicted on charges of promotion and use of abusive tax schemes designed to evade taxes.

11. Employment Tax Evasion. The IRS has seen a number of illegal schemes that instruct employers not to withhold federal income tax or other employment taxes from wages paid to their employees. Such advice is based on an incorrect interpretation of Section 861 and other parts of the tax law and has been refuted in court. Lately, the IRS has seen an increase in activity in the area of “double-dip” parking and medical reimbursement issues. In recent years, the courts have issued injunctions against more than a dozen persons ordering them to stop promoting the scheme. During fiscal 2005, more than 50 individuals were sentenced to an average of 30 months in prison for employment tax evasion. Employer participants can also be held responsible for back payments of employment taxes, plus penalties and interest. It is worth noting that employees who have nothing withheld from their wages are still responsible for payment of their personal taxes.

12. “No Gain” Deduction. Filers attempt to eliminate their entire adjusted gross income (AGI) by deducting it on Schedule A. The filer lists his or her AGI under the Schedule A section labeled “Other Miscellaneous Deductions” and attaches a statement to the return that refers to court documents and includes the words “No Gain Realized.”

Two items fell off the list this year:

Two noteworthy scams have dropped off the “Dirty Dozen” this year: “claim of right” and “corporation sole.” IRS personnel have noticed less activity in these scams over the past year following court cases against a number of
promoters.

Dirty Dozen press release, here.

If you are a victim of one of these scams, you can report it, here.

Notably, they mention that reporting a scam might qualify you for a reward, but reporting one of these scams might (also) prevent someone else from becoming victimized.

There is also a lot of other free information and tools to do your taxes on the main IRS website, here.

0 comments

Spear phishermen target executives to steal company information

Shamus McGillicuddy of CIO News highlights an interesting fact, which is you never know, who is going to fall for a phishing scam.

The phishermen normally send out a lot of bait (spam) in the hopes of hooking a few phish.

Shamus writes:

Over the last week and a half, spam messages purported to be from the Internal Revenue Service and the Better Business Bureau have been specifically targeting senior-level corporate executives with phishing scams.

Experts say these targeted phishing attacks, sometimes called "spear phishing," are nothing new, but they illustrate that spammers are getting more adept at targeting sophisticated email users who have access to the most sensitive data within their companies.

Spear phishing is simply a more focused form of phishing, which uses more personal touches, such as a person's real name, and or title.

With all the information plastered over the Internet, or available for sale; it isn't hard for phishermen to get what they need (personal information) to go spear phishing.

Many private companies and government organizations recognize the danger phishing poses in the workplace. To counter this, and raise awareness; they are phishing their own employees.

Recently, I did a post about this, which revealed more employees fall for this, than many would like to admit:

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

There seems to be more and more phishing out there, which might be inspired by DIY (do it yourself) kits being sold over the Internet. DIY kits make it easy for not very sophisticated criminals to become expert phishermen.

The only good news about phishing is that with a little awareness, most people can spot this activity, because the phishing ploy doesn't make much sense, or is too good to be true.

CIO News story, here.

BBB Alert, here.

IRS Alert, here.

0 comments

FBI reports tax stimulus phishing campaign underway

The FBI Cyber Investigations Division issued a press release that spammers are phishing for people's personal details using the tax stimulus program as bait.

The Federal Bureau of Investigation warns consumers of recently reported spam e-mail purportedly from the Internal Revenue Service (IRS) which is actually an attempt to steal consumer information. The e-mail advises the recipient that direct deposit is the fastest and easiest way to receive their economic stimulus tax rebate. The message contains a hyperlink to a fraudulent form which requests the recipient's personally identifiable information, including bank account information. To convince consumers to reply, the e-mail warns that a failure to complete the form in a timely manner will delay the issuance of the rebate check.

My guess is that the intent in getting your bank account information is to take it over and drain it of all it's assets.

Please note that phishing normally requires a person to willingly give up their information, but more and more, a new phenomenon is being seen called a drive by infection is being seen in the "wild" a.k.a. the Internet.

I wrote about this recently in a post called, "Nowadays, all you need to do is visit the wrong site to have your personal information stolen! "

As noted in the post, the phishermen have been seen using social engineering ploys, along with malicious software in conjunction with each other.

If you want to learn more via FBI recommended educational tools, or report a phishy e-mail, here is a way you may do so:

Please notify the IC3 by filing a complaint at www.ic3.gov. More information on scams is also available on www.fbi.gov and www.lookstoogoodtobetrue.com.

You can also report IRS related phishing scams to phishing@IRS.gov, here.

FBI press release with example of one of the phishmails, here.

In case you want to see when you are going to get your "actual" stimulus check (if you qualify), the IRS has a tool to figure it all out on their site.

0 comments

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

(Courtesy of Flickr)

A new report issued by the Treasury Department's inspector general reveals that too many IRS employees compromised their user ID and password to an unknown person, who was actually a government auditor posing as a help desk employee.

Sixty percent of the IRS employees fell for the social engineering trick, sometimes referred to as vishing. This isn't the first time a test like this has been conducted. In 2004, 35 percent of the employees tested compromised information and in 2001, the failure rate was 70 percent.

In the recent past, the agency has also been criticized for it's aging computer systems and their name has been spoofed (impersonated) in phishing attacks.

I guess the IRS makes a good story, but they certainly aren't the only government agency, or private entity being compromised by activity like this.

Whether it's vishing or phishing -- where social engineering (fraud, deception etc.) techniques are used to trick people into giving up access to information that should be protected -- human beings are probably the biggest threat to information (computer) security.

True, the results of this report are shocking, but maybe we should listen to what it is telling us? If social engineering didn't work, my guess is that a lot of the current explosion in phishing and vishing activity would go away.

Even when malware, often referred to as crimeware, which steals information using technology is used, a human being has to be lured into clicking on a link, or visiting certain websites for the software to be implanted.

Maybe one of the problems is that people, who fall for these ploys are reluctant to admit they were tricked so easily? I've seen a lot of people fall for social engineering ploys, and not all of them are poorly educated, or what most of us would consider, stupid.

In fact, many us would probably be amazed at exactly who falls for social engineering ploys. Most people would rather remain anonymous because it's embarrassing to admit they were conned into whatever scheme they fell for.

Of course, the people I'm referring to have asked me to respect their privacy, and I'm an advocate of protecting that, along with being kind to victims, also.

Whether it is a government agency, big business, or non profit being targeted, the only thing that is consistent is we see more and more of this activity all the time. Trust me, if it didn't work, the criminals behind it wouldn't be wasting their time doing it.

If the activity is increasing, and social engineering it tied into most of it, the best thing we can do to defeat it, are more tests like these, combined with an effort to make people more aware of the problem.

While the results of this report aren't good, at least they are making the information public and not hiding it. My guess is that IRS employees aren't the only ones, who would fall for something like this.

Education and awareness are key in stopping this problem, which keeps growing by leaps and bounds!

Inspector General (Treasury Department) report, here.

0 comments

Corporate suits targeted in spear phishing attack!

The mainstream media is reporting that the Phishermen attempted to spear a large number of corporate executive types this week.

This form of phishing is referred to as spear phishing, or whaling. The intent of phishing is to trick an unwary human being into giving up sensitive personal or financial information, which is later used to for illicit purposes. Spear phishing or whaling is simply a more focused approach designed to target more specific targets than everyday run of the mill phishing attacks, which are sent out by the millions via spam spewing botnets.

The New York Times is reporting:

Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

If any of them clicked on the link directing them to a view of the full subpoena, they probably downloaded malicious software with keylogging capabilities. Once this is dropped on a system, keystrokes are recorded and transmitted back to the criminals behind the attack.

The normal intent when this done is to commit financial crime, but given the targets in this attack, corporate espionage (information theft) could be the intention, also.

The malware bundle allegedly places the victim's computer under the control of the phishermen. When this occurs, the infected computer is often referred to as a zombie.

The latest attack has prompted warnings to be placed on the websites of two California Federal Courts, as well as, the administrative office of the United States Courts.

The New York Times article speculated that this attack was of Chinese origin, while Brian Kreb's article in the Washington Post speculated the attack could be of Romanian origin. Both of these speculations came from noted industry security experts. Unfortunately in the world of cybercrime, the activity often so anonymous, all the rest of us can do is speculate as to who might actually be behind it.

Please note that speculating that the activity might have come from either China or Romania is probably a good deduction. Both countries are known to host a lot of criminal activity of a cyber nature.

It is also being reported that not all the security products out there will detect this attack.

I guess that the only solace from this fact is that if you can teach the user to recognize the social engineering aspects of these attacks, they aren't going to click on the link and infect their system.

Even though "fear" is well-known social engineering technique, if you examine the attack it doesn't make very much sense. After all, the last time I checked, a subpoena delivered via electronic communication wouldn't be legally binding. It's probably a no-brainer that federal courts wouldn't issue a subpoena via an e-mail.

Sadly, more employees fall for phishing attempts than many might realize. In fact, some organizations are now testing their own employees with scary results. Most recently, this was done by both the U.S. Army and the IRS.

Update 4/19/08: The FBI announced that a new phishy e-mail is circulating regarding a grand jury summons. Not sure if this is a tie in, but as Alex Eckelberry lamented on the Sunbelt blog -- phishing attacks are becoming more specifically targeted and the intent might be more than to steal financial information. Of course, that's not to say there isn't financial motivation involved, there normally is.

0 comments

It's unlikely the IRS is outsourcing tax preparation services to Russia!

Looks like with the start of tax season, the phishermen are again pretending to be the IRS.

Using a badge of authority in phishing is nothing new. In the past, we've seen the FBI, Interpol, DOJ and a lot of other official agencies spoofed (impersonated) to trick people into giving up their personal and financial details.

Here is a phishmail that got past my spam filter yesterday:

Date: Fri, 11 Jan 2008 16:02:36 -0500

From: "Internal Revenue Service" Add to Address Book Add Mobile Alert

Subject: IRS Annual Calculations - Tax Refund Internal Revenue Service United States Department of the Treasury

Dear Applicant:

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $270,25.

Please submit the tax refund request and allow us 2 business days in order to
process it.

To access the form for your tax refund, please click here (link removed).

The links on these spam e-mails are designed to entice the unwary to give up their personal and financial details (later used to commit financial crimes)through social engineering techniques (trickery). Just clicking on a link can download malicious software designed to steal information from your computer (which will also be used in financial crimes) or it will turn your computer into a spam spewing zombie.

If you hover (don't click) your mouse on a link and read the address that shows up on the bottom of your screen, it will show the true address. In the above example, it reveals and address of a Russian domain (astrasong.ru).

It's unlikely that the IRS is outsourcing tax preparation services to the Russian Union!

I went to the IRS site and discovered that they just updated their Suspicious e-Mails and Identity Theft page the same day I received this phishmail.

The page has links to all their previous warnings and information on where to report phishing activity involving the IRS. Also included are government educational resources (recommended reading if you haven't seen them before).

0 comments

The FTC Fraud Department didn't really send you that phishmail

Phishing attempts spoofing (impersonating) government agencies aren't anything new. Here again, the FTC (Federal Trade Commission) is being used as a badge of authority to trick people into downloading something that is likely to steal their personal and financial details.

From the FTC press release about this most recent occurrence:

A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments.

The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations.

The virus contains a keylogger, which logs information keyed into a computer and sends it back (electronically) to the phishermen (bad guys). This is a common method of stealing people's financial and personal information, which then is used to steal money.

The technical terminology used in the press release refers to a virus. Two other terms used to describe how a keylogger is planted on a system are malware and crimeware.

Keylogging software seems to be legally purchased, often touted as a way to spy on your family, or employees. Law enforcement and people committing more sophisticated forms of espionage have been known to use them, also.

If you are interested in seeing how many people are marketing keyloggers, click here.

Phishing might sound technical, but it almost always uses a psychological technique known as social engineering (trickery) to accomplish it's purpose. In this case, the trick (lure) to click on the attachment is fear, but in a lot of cases, it's something that's too good to be true.

The FTC refers people, who want to learn more about phishing to http://www.onguardonline.gov/.

Another place that has a lot of information about phishing is the Anti-Phishing Working Group.

Traditionally, the Phishermen relied on tricking people to give up the information they were seeking. More and more, keyloggers are being used that steal the information automatically.

Other posts, where I've written about keyloggers can be seen, here.

I've been getting a lot of queries on this site about another government agency (the IRS), who has also been spoofed frequently by the Phishermen. The last update on this was on September 19th, but my guess is that these are still circulating out there, also.

Full FTC press release on this matter, here.

Here is an interesting CNet blog post about FTC Chairman, Deborah Platt Majoras, stating publically that phishing is driving her insane. This was taken from a comment she made about a month ago to the first National Cybersecurity Awareness Summit.

(Deborah Platt Majoras courtesy of the FTC site)

0 comments

Most Internet Scams Start with Spam

I'm sure we've all noticed spam levels are slightly down, or that our spam filters seem to be working a little better. Nevertheless, spam continues to get through filters and for the next few weeks, a lot of it will have a holiday theme. Due to the sour economic situation, it's also likely going to take advantage of financial fears or the promise of a rescue from an already bad situation.

Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.

Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.

Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.

The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.

Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.

While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.

The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.

Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.

Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.

Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.

There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.

The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.

To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.

0 comments

DOJ is the latest badge of authority phishermen are using to net victims

This is the DOJ banner used in the screenshot of the phishy e-mail Websense is reporting. Please note, in this instance, I merely copied it right from the DOJ website. With minimal knowledge, just about anyone can do this with any picture from a website.

Apparently, Websense deserves credit for discovering a Trojan downloader pretending to be a e-mail from the Department of Justice (DOJ). Clicking on this attachment is likely to turn your computer into a zombie (part of a botnet) used to send more spam, or even worse used to steal information stored on your computer.

This might turn you into an identity theft statistic, depending what personal and financial information you store on your computer.

Here is the alert from Websense:

Websense® Security Labs™ has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them on our site.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email.

The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.

None of the major anti-virus vendors detected the malicious code.

Websense Security customers are protected from this threat.

In the e-mail Websense used as an example, it refers to a specific company. This means that this attack is possibly directly targeting people, who are associated with this company. This type of more directed attack has is now being referred to as spear phishing.

Spoofing (impersonating) government agencies is nothing new. The Phishermen use the badge of authority the name of these agencies invoke to trick people into clicking on the attachments in their spam e-mails.

The warning from Websense mentions that the IRS (Internal Reveue Service),BBB (Better Business Bureau) and many others have had had their badges of authority used to lure victims into the Phishermen's web.

I was unable to find a recent press release on this directly from DOJ, however a press release on a similiar attack using DOJ's name was released in June.

In it they speak to the fact that DOJ would never send a communication of this nature via e-mail:

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at http://www.ic3.gov/.

In this memo, they also offered some educational resources, which I highly recommend if you are unfamiliar with how the dark side of the Internet works:

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html.

Current Websense alert, here.

June alert from DOJ on similar attack, here.

0 comments

Chinese Hacker(s?) steal data on 18 million people in South Korea

Data breaches aren't just a problem in North America and Western Europe. In fact, it's probably safe to say that that the problem has become International in nature.

In the era of the global economy and with outsourcing, saavy hackers can probably get their hands on North American and European information outside those geographical areas fairly easily. IT is (also) probably less likely that anyone will be forced to be transparent about a data compromise in many of the areas information is currently being outsourced to.

That isn't to say that everything is 100 percent transparent when a data compromise occurs in the West, either.

Found this interesting blog post on The Dark Visitor (Inside the World of Chinese Hackers):

According to Hackbase.com, South Korea’s oldest and largest online shopping site (Auction.co.kr) has claimed it was attacked by a Chinese hacker who made off with the user information on 18 million members and a large amount of financial data. It is further claimed that Auction.co.kr delayed 20 hours after the attack before confirming the loss of information. Korean users rebuked the website for being too slow to act. It was confirmed that the attack was launched through China’s internet.

The post speculates (probably very accurately) that the site was compromised by phishing the staff at Hackbase.com (interesting name), who more than likely gave up their log on credentials to the hacker. This is normally accomplished by dropping malicious software containing a keylogger that steals all sorts of personal information from a compromised system. The same thing often occurs with social engineering techniques, where someone is tricked into giving up information they shouldn't have.

It is amazing how many employees fall for phishing attempts. I recently pointed to examples of this in North America, where the IRS and the employees of a Nuclear facility were successfully phished.

There is no doubt that part of any internal due diligence process should include training employees on social engineering, spam and phishing.

Full post from the Dark Visitor (interesting site), here.

Here are two posts, I recently did about employees getting phished for information:

Human beings are the reason for most security breaches!

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

0 comments

Phishermen impersonate DOJ in spam e-mail

DOJ logo. The press release mentions that the e-mail contains their official logo. Copying graphics is extremely easy to do. Internet criminals do this to make their spam e-mails look more official, or even to create totally spoofed (impersonated) websites.

Recently, Internet Phishermen have spoofed the IRS, FTC and the FBI to trick people into giving out personal/financial information. Of course, they spoof a lot of other organizations, also.

Apparently, the e-mail even contains the DOJ logo on it. This isn't very hard to do because copying graphics takes very little technical skill. To demonstrate, I will copy the DOJ logo and place it at the top of this post.

Because this is so easy to do, a lot of fake websites (mostly financial institutions) are all over the Internet.

From the DOJ press release dated June 27th:

The Department of Justice has recently become aware of fraudulent spam e-mail messages claiming to be from DOJ. Based upon complaints from the public, it is believed that the fraudulent messages are addressed "Dear Citizen." The messages are believed to assert that the recipients or their businesses have been the subject of complaints filed with DOJ and also forwarded to the Internal Revenue Service. In addition, such email messages may provide a case number, and state that the complaint was "filled [sic] by Mr. Henry Stewart." A DOJ logo may appear at the top of the email message or in an attached file. Finally, the message may include an attachment that supposedly contains a copy of the complaint and contact information for Mr. Stewart.

Although most phishing attempts are designed to trick people into giving up their personal/financial information, malware (crimeware) automates the process. Here is what the DOJ has to say about that:

Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by "double-clicking" on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Press release with links of where to report these phishy e-mails, here. There are also some links to government sites designed to educate the public on Internet crime on the news release, also.

If you would like to see how easy it is to copy graphics and make a fraud website look like a legitimate one, Artists Against 419 has a lot of actual examples on their site (see Lad Vampire link), here.

The Anti Phishing Working Group compiles statistics on spam and phishing. Every time they issue a new report (monthly), a new record seems to be set. APWG site, here.





Graphic illustration of what might happen to your computer after "double clicking" on an e-mail attachment from the Phishermen (courtesy of the FBI)!

It appears even the FBI has a sense of humor! Great picture (my opinion).

0 comments

Human beings are the reason for most security breaches!

If you think phishing is merely a financial crime, think again. Eleven employees at a nuclear research facility fell for a phishy e-mail, which appears to have been an attempt to steal information.

The New York Times reported:

A cyber attack reported last week by one of the federal government’s nuclear weapons laboratories may have originated in China, according to a confidential memorandum distributed Wednesday to public and private security officials by the Department of Homeland Security.

Although the article suggests China may behind this attempt, the article suggests they have plausible deniability:

Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location.

I guess it might have been a host of undesirables trying to steal this information. A lot of Internet misfits redirect through China to do their misdeeds on the Internet.

What's scary is that eleven employees at a Nuclear Research Facility clicked on a phisy e-mail and compromised sensitive material.

I recently wrote a post, where an official government audit revealed that 60 percent of IRS employees tested fell for a vishing scheme and gave up sensitive information.

Vishing is stealing information by telephone.

It was recently announced that private investigators are being indicted for vishing infomation in an illegal manner, sometimes referred to as pretexting.

All of these events would suggest that businesses and government organizations have a big opportunity when it comes to raising employee awareness on social engineering schemes that are used to compromise sensitive information.

IT also illustrates that human beings are the common cause for most breaches of security!

New York Times article, here.

Here are the two previous posts on the IRS vishing test and the indictment of private investigators for using social engineering techniques:

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

Private Eyes charged with aggravated identity theft

0 comments

Private Eyes charged with aggravated identity theft

This isn't the first time private investigators have been caught using social engineering techniques to steal personal information. The Hewlett Packard case raised caused quite a bit of uproar about this last September.

Here is another case involving private investigators using illegal techniques to data mine information for their clients:

Ten people were indicted by a federal grand jury in Seattle in connection with a scheme to illegally obtain confidential information on more than 12,000 citizens across the country. To obtain confidential tax, medical and employment information, workers at BNT Investigations in Belfair, Washington, would pose as another individual to get government agencies including the IRS, the Social Security Administration, and various state employment security offices to provide confidential information. The year-long investigation dubbed, “Operation Dialing for Dollars,” also revealed that some workers posed as representatives of doctors’ offices to get medical or pharmacy records.

The private investigators used "pretexting," which is a social engineering technique designed to trick people into giving up personal and financial information. Criminals use the same technique to steal people's identities.

In fact, phishing, where an e-mail is sent impersonating a trusted or authority figure with the intent of stealing personal information is a form of "pretexting."

In this case, we might term what these private eyes did as "vishing," which is phishing using the telephone.

It appears that the U.S. Attorney's office agrees that this is little difference in the techniques used by these private eyes and is charging them all with aggravated identity theft.

The ten defendants are charged with Conspiracy and Wire Fraud. Seven of the defendants are charged with Fraudulent Elicitation of Social Security Administration Information. Six of the defendants are charged with Solicitation of Federal Tax Information. All ten defendants are charged with Aggravated Identity Theft. The three Washington defendants are scheduled to appear in U.S. District Court in Tacoma at 2:30 today.

These are the defendants indicted by the grand jury:

EMILIO TORRELLA, 36, Belfair, Washington
BRANDY N. TORRELLA, 27, Belfair, Washington
STEVEN W. BERWICK, 22, Belfair, Washington
VICTORIA J. TADE, 52, San Diego, California
MEGAN OSOSKE, 40, Beaverton, Oregon
DARCI P. TEMPLETON, 55, Houston, Texas
ESAUN G. PINTO, Sr., 33, Brooklyn, New York
PATRICK A. BOMBINO, 58, Brooklyn, New York
ROBERT GRIEVE, 67, Houston, Texas
ZIAD N. SAKHLEH, 26, Houston, Texas

The Torellas, who own BNT investigations, allegedly are the "phishy-investigators" who were selling this illegally obtained information to their peers nationwide.

The private investigators had been hired by attorneys, insurance companies and collection agencies to investigate the backgrounds of opposing parties, witnesses and benefit claimants, and to uncover assets or income. The TORRELLAs promoted their services to the private investigators.

BNT investigations targeted financial institutions and government agencies to get the information they were selling.

This makes me wonder how much the people paying for these services knew and to what extent they might be held liable?

Although, it doesn't appear that more sophisticated spying (identity theft?) techniques were used in this case, in the Hewlett Packard case investigators dropped software (malicious?) on computer systems to monitor the people they were "investigating."

Press release from the Western Washington U.S. Attorney's Office, here.

0 comments

FTC name impersonated to phish (steal information) from corporate executives

Spammers love to impersonate official agencies to hook their victims (phish). Recently, the attacks have become more specific targeting people by name, and or title. Here is a warning from the Federal Trade Commission (FTC):

Consumers, including corporate and banking executives, appear to be targets of a bogus e-mail supposedly sent by the Federal Trade Commission but actually sent by third parties hoping to install spyware on computers. The bogus e-mail poses as an acknowledgment of a complaint filed by the recipient, and includes an attachment. Consumers who open the attachment to this e-mail unleash malicious spyware onto their computer. The agency warns consumers who get this e-mail that purports to be from the FTC:

Don’t open the attachment.
Delete the e-mail.
Empty the deleted items folder.

The hoax e-mail is personalized, and contains the name of the recipient and their business. The bogus message explains how the complaint will be used, who will have access to it and states, “Attached you will find a copy of your complaint. Please print a hard copy of the complaint for your records in the upcoming investigation.” Opening the attachment downloads the malicious spyware.

The press release doesn’t specify exactly what the malicious spyware is.

Recently, the IRS and Better Business Bureau names were being used in a similar manner. In this attack, corporate executives were being specifically targeted, also. This type of attack is known as spear phishing.

Here is a post on the attack spoofing (impersonating) the IRS and BBB:

Spear phishermen target executives to steal company information

FTC release on this attack, here.

0 comments