F R A U D R E P O R TPHISHING IN SEASON – TAX TIMEMALWARE, PHISHING AND FRAUDApril 2013As cybercriminals will have it, phishing attacks are quite the seasonal trend. It seems thatevery April, after showing a slight decline in phishing in the first quarter of the year, theywake up and get back to work on vast spam campaigns that take advantage of tax-filingseason.This time of year brings a few flavors of spam into the mailboxes of online users,including malware attachments that appear as communications such as tax statements orunclaimed refunds. In this special highlight, we will cover the main types of online threatswe often see during the tax filing season, most of which are already rampant in the wild.Tax Authority Phishing ThemesAlthough phishing is most often a direct attack, targeting account holders by presentingthem with messages from their online banking provider, indirect phishing can be just asefficient, if not more.In these scams, phishers will create an email appearing to come from the local taxauthority, encouraging taxpayers to browse to a (phishing) page where they will betricked into believing they are opening an online account, updating their personalinformation, contesting a fraudulent statement or receiving a refund.Phishers use the taxation entity’s credibility and authority in order to ask victims to partwith their personal information, address and phone details as well as accountinformation, access to online and phone banking, as well as complete credit card details.Those attacks can be very elaborate and eventually allow criminals to devise a widerarray of identity theft scenarios, including loan and credit card application, fraudulentecommerce purchases, fraudulent tax filing, and bank account takeover.
page 2Malware Hidden In Tax-Themed EmailsAnother very popular threat during tax season is malware-laden email, purporting tocome from a tax authority, usually with a threatening message urging the user todownload and open an attachment. The file is actually a Trojan executable, which cansometimes be revealed by simply looking at the file extension, like in the image below.Note that the file extension is .pdf followed by .exe – a Trojan executable file.One of the malware campaigns currently active in the wild is spreading the BrazilianBanker Trojan (“Bancos”) under the guise of a message from the fiscal authority in Brazil.Tax-Themed Malware SpamEmail purporting to come from taxauthorities, urging users to downloadand open an attachment.Tax-Themed PhishingElaborate phishing page designed tosteal access credentials and personalfinancial information
page 3Here too, it is easy to see that the fake file extension is not really a Microsoft Worddocument (.docx), but rather an .exe hiding the Trojan’s executable.Online Tax-Filing ScamsSince tax authorities have been allowing taxpayers to file their annual declarations withonline service providers, criminals have been increasingly interested in phishing foraccess credentials to victims’ user accounts in hopes of rerouting the refund paymentsthat may be due.In many cases, fraudsters check if the potential victim has already filed the return, and if not,they will proceed to filing a false declaration in the victim’s name, using numbers that willresult in a refund, and then attempt to have the expected payment sent to a prepaid card oran account they control. The U.S. Internal Revenue Service reported it saw an 80% increase intax-return fraud between 2011 and 2012 – a number that is likely to continue growing.One of the present campaigns running in the wild falsely alerts taxpayers that their return wasrejected, all while delivering a Trojan attachment (.exe) in the guise of an archived file (.zip).Taxpayer User Account Takeover AttemptsIn this last example of tax-themed online threats, some riminals, usually operating locallyand versed with the regional processes, will attempt to phish a taxpayer for his accesscredentials to the tax authority’s web services.Tax-Themed Malware SpamEmail purporting to come fromBrazilian tax authorities, urging usersto download and open the concealedBancos TrojanOnline Filing ScamsEmail to tax filers that a refund hasbeen rejected and lures them todownload a file with hidden malware.
page 4From there, the criminals will attempt to gain insight into amounts possibly due to thevictim, find out if they already filed a tax return, attempt to modify the account refund(s)should be sent to, or in other cases, create a fake account with an online tax filing serviceto submit a bogus return in order to yield a refund.The actual phishing can be carried out online, by directing taxpayers to click and browseto a hyperlink inside an email, or by opening the attack locally – a local HTML phishingscam that will appear on the victim’s PC.In the following image, the taxpayer received an HMTL file inside the email – containingthe phishing page. The URL that will appear when opening that file, will show a local pathon the user’s PC. Once harvested, data from such “standalone” attacks will end up beingsent to the phisher thereafter.CONCLUSIONAlthough phishing attack numbers can fluctuate monthly and depend on factors that areharder to predict, trends such as annual tax filing season remain rather consistent.Tax-filing season is probably one of the most popular times of the year for phishers to hittaxpayers with spam and malware infections since tax authorities can be a driver thatwould make people react quickly to emotional triggers such as:–– Entitlement – expecting a tax refund and wishing to receive it ASAP–– Anxiety – being faced with the (false) accusation of a rejected/fraudulent statementand wanting to rectify the issue–– Sense of obligation – having to comply with the civil obligation to report to thetaxation authoritiesIn terms of the time-span for this seasonal trend, tax deadlines typically fall on April 15,but fraudsters are known to begin sending this type of spam in February and continuespreading the campaigns well into May and June, in the shape of fake returns and bogusrejected/fraudulent statements. This phenomenon is often reflected in phishing attackspikes recorded annually through Q2. Just as financial institutions have been active ineducating online users, tax agencies have also started similar campaigns to warnconsumers to be alert during tax season.Tax Authority Online ServiceTakeover AttemptEmail purporting to come from a taxauthority, hosting a standalonephishing attack to harvest taxpayerinformation.
page 5Phishing Attacks per MonthRSA identified 24,347 phishing attackslaunched worldwide in March, marking an11% decrease in attack volume from theprevious month, yet a 27% increase year-over-year in comparison to March 2012.Number of Brands AttackedIn March, 260 brands were targeted inphishing attacks, marking a 1% increasefrom February. Of the 260 targeted brands,46% suffered five attacks or less.0100002000030000400005000060000Source:RSAAnti-FraudCommandCenter19141355583787851906594064948835440337684183429581 301512746324347Mar12Apr12May12Jun12Jul12Aug12Sep12Oct12Nov12Dec12Jan13Feb13Mar13050100150200250300350Source:RSAAnti-FraudCommandCenter303288298259242290314269284257291257 260Mar12Apr12May12Jun12Jul12Aug12Sep12Oct12Nov12Dec12Jan13Feb13Mar13
page 6Top Countries by Attack VolumeThe U.S. was targeted by about half of allphishing volume in March. The UKaccounted for 13% of attack volume whileSouth Africa experienced an increase with9% of attack volume. After the UK, theNetherlands was the country in Europethat endured the second highest attackvolume in March at 5%.UKGermanyChinaCanadaSouth KoreaAustraliaaUnited Kingdom 13%U.S. 49%South Africa 9t%Canada 4%Netherlands 5%India 4%38 Other Countries 16%US Bank Types AttackedU.S. nationwide banks saw a slight declinein attack volume in March – decreasing 6%.However, credit unions saw a relativelysharp increase, more than doubling from8% to 17%. On occasion, phishers like tochange up their attack methods and goafter less targeted financial institutions,attempting to see if online/phone bankingsecurity measures with these banks couldbe more easily exploited.020406080100Source:RSAAnti-FraudCommandCenter12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17%30%11%18%12%15% 15% 14% 14%9% 15%15% 23% 23%58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60%Mar12Apr12May12Jun12Jul12Aug12Sep12Oct12Nov12Dec12Jan13Feb13Mar13
page 7BIndiaNetherlandsCanadaItalyChinaS AfricaUSaTop Countries by Attacked BrandsU.S. brands were once again most targetedby phishing in March, experiencing 27% ofattack volume. Together, brands in the UK,Australia, India and Brazil accounted for25% of attack volume.Top Hosting CountriesIn March, the U.S. hosted just over half ofall global phishing attacks, followed byGermany, Canada and the UK. Colombiahosted 3% of phishing attacks during themonth. U.S. 51%57 Other Countries 28%Germany 6%Canada 5%Colombia 3%Netherlands 3%United Kingdom 4%BraIndiaNetherlandsCanadaItalyChinaS AfricaUSaUnited Kingdom 12%39 Other Countries 48%U.S. 27%Brazil 4%India 3%Australia 5%