Important disclaimer: THE IRS DOES NOT INITIATE CONTACT WITH TAXPAYERS BY EMAIL, TEXT MESSAGE, OR SOCIAL MEDIA CHANNELS TO REQUEST PERSONAL OR FINANCIAL INFORMATION. (See: https://www.irs.gov/uac/Report-Phishing )
The IRS has a very active security team, currently part of the U.S. Treasury Inspector General for Tax Administration (TIGTA), that is responsible for fighting phishing and tracking down the criminals who prey on U.S. tax payers. If you believe you have received a Phishing email, please help them by reporting the email you received to email@example.com. Additionally, please also consider sending a copy to our team. PhishMe Brand Intelligence automatically processes any URLs found in emails sent to Report@phishIQ.com (not just IRS phish – we love gathering global intelligence on all phish).
PhishMe Brand Intelligence has been looking at IRS phishing incidents since 2012, but the beginning of 2016 has broken all records for IRS phishing. Because many phishing sites use a customized URL for every visitor, we’ve developed a chart that demonstrates the number of phishing attacks by showing a count of unique host names on a given day that spoofed the IRS.
As an example, if tax.badsite1.com was seen 100 times on January 1st and twenty times on January 2nd, it would be counted as “2” in the chart below because we received reports for that host one two different days.
Figure 1. Count of distinct hosts of IRS phishing for each month during 2015 and 2016
This hasn’t been a gradual increase however; it was a rapid proliferation of spoof IRS sites at the beginning of this year. In January 2016 we saw more IRS phish than the total for any previous year.
In just the past two weeks, we have recorded 21 different phishing website templates being used to create IRS phish. We ask, “Which patterns are most important, based on the number of websites being created using that template?” Figure 2 provides an overview of the result of applying PhishMe’s phishing website clustering algorithm to group together sites that were created with the same set of files. We do that in order to work backwards toward identifying which criminal toolkit was used—and by which criminals—to create the most frequently-recorded phishing sites. Below we dive deeper into the details of the three largest templates indicated in Figure 2.
Figure 2. Clusters of IRS phish, based on website template, October 2015 – March 2016
Cluster #1 – IRS White Login
We will call this template “IRS White, just to differentiate it from the other templates below.
Figure 3. Cluster #1 – “White Login”
Cluster #1, representing the most popular IRS phishing template over the past six months, was observed in 59 attacks, using 49 domain names and 40 IP addresses. The HTML title of each of these phish is the single word “Login”. The phish in this cluster often use a subdirectory path la2.www4.irs.gov, and, during the month of February, many of the attacks were hosted on the IP address 22.214.171.124 (HostDime—Orlando). Figure 4 below shows a page from PhishMe’s investigative app, ThreatHQ™, listing several recent IRS phish of this style, along with the IP address to which they resolved and the date that we first recorded them.
Figure 4. Note the characteristic path in the URL and a frequent IP address
Over the years of investigating credential phishing, the PhishMe Brand Intelligence team has preached information sharing with other representatives of other victim brands. With this style of IRS phishing, it is helpful to be able to see in ThreatHQ that the IP address 126.96.36.199 is regularly abused by phishers. Phish targeting customers of banks, social media sites, payment processors, and webmail providers are frequently hosted there, as well as a variety of webmail phish, as seen in Figure 5 below.
Figure 5. Other recent phish hosted on 188.8.131.52
Perhaps some of the creators of those phish are related to the IRS phishers? One of the most recent phishing pages hosted there targets the French government’s Ministry for Finance and Public Accounts (impots.gouv.fr), as seen in Figure 6 below.
Figure 6. French tax agency phish hosted on 184.108.40.206 (March 21st)
Cluster #2 – Fill Up 2013
The second-largest cluster of recent IRS phish comprises 42 attacks using 38 domains and 34 IP addresses. As is often the case with phishers, small errors can help us to easily identify the template. In this case, we have a phisher who has not realized that using a 2013 tax form during 2016 would be unusual and could even harm his victimization rate. See Figure 7 below for an example screenshot of a Cluster 2 phish that asked the victim to enter information as it appeared on a 2013 return.
Figure 7. Cluster #2 – “Fill Up – 2013”
Because PhishMe Brand Intelligence is often able to retrieve the tools left behind by phishers, we know that at least eight of the recent phish in this group sent the stolen credentials to the email address firstname.lastname@example.org. On November 24th, December 14th, and January 10th, 17th, 18th, and 23rd, PhishMe recovered phishing kits that used a PHP script to email the credentials to that email address, as seen in the code snippet in Figure 8 below.
Figure 8. The script mailer.php sends credentials to a Gmail account
Strangely, Michael Davids’ Facebook page (see Figure 9 below), tied to the same Gmail account, has the URL http://facebook.com/ogbeni.yaham – almost as if Michael was born a Nigerian person and later changed his name. In fact, his only Friend on Facebook is Nigerian “Kore Akpnah.”
Figure 9. Partial screenshot of Facebook profile tied to the email address email@example.com
As with Cluster #1, we also have evidence that Michael (or “Ogbeni”?) steals credentials with other types of phishing pages. A webmail phish from January and a major bank phish from December (Figures 10 and 11, respectively, below) also sent their stolen credentials to Michael at the same Gmail address.
Figure 10. Recent Google Drive phish created with a kit that sends data to firstname.lastname@example.org
Figure 11. Recent Wells Fargo phish created with a kit that sends data to email@example.com
Also, be aware that the spam message you receive with a link to an IRS phish may be very plain and simple, such as the one seen in Figure 12 below. We can see by hovering over the link with our mouse that the blue hyperlink did not go to IRS.gov; rather, it went to a URL shortened with the TinyURL service.
Figure 12. Sample spam message distributing a link to a Cluster #2 style IRS phish
Cluster #3 – Fill Up 2014
Figure 13. Cluster #3 – Fill Up – 2014
Cluster #3 is composed of 32 attacks on 29 domains hosted on 29 IP addresses. The only substantial difference between it and Cluster #2 is that the year has been updated from 2013 to 2014. Two main URL patterns are prevalent for this cluster; one is /SmileIR/ (and the stolen credentials are sent to a similarly-named email address). After February 1st, this criminal began to use the directory /PRIVACYIR/ and another email address. Otherwise, the files are quite similar between the two toolkits.
Other Top IRS Clusters
While there are many interesting Brand Intelligence leads for each of the other major IRS phishing clusters, we’ll just summarize clusters 4 through 10 here by providing screenshots and volume statistics below.
Cluster #4 – 2015 Tax Reduction File
Figure 14. Cluster #4 attacks seen 29 times on 25 domains and 23 IP addresses
Cluster #5 – White Hi-Res W-2 Form
Because of the more high-resolution graphics that better approximate the real IRS website, this template is more likely to be convincing to a potential victim. One of the drop email addresses for this stolen data corresponds to a Skype account. This website template also adds believability by using the HTML Title attribute—which shows up in your browser tab—of “Department of the Treasury – Internal Revenue Service”.
Figure 15. Cluster #5 attacks seen 28 times on 26 domains and 25 IP addresses
Cluster #6 – Validate Personal Info
Figure 16. Cluster #6 attacks seen 26 times on 17 domains and 15 IP addresses
Cluster #7 – Validate Electronic Info
Figure 17. Cluster #7 attacks seen 23 times on 21 domains and 20 IP addresses
Cluster #8 – Refund Status
Figure 18. Cluster #8 attacks seen 23 times on 18 domains and 17 IP addresses
Cluster #9 – Get My PIN
Figure 19. Cluster #9 attacks seen 19 times on 13 Domains and 10 IP addresses
Cluster #10 – Refund SSN
Figure 20. Cluster #10 attacks seen 18 times on 3 domains and 3 IP addresses
Grouping together the various types of phish that are targeting a specific brand, according to the sets of files used to create the look and feel of phishing sites, allows PhishMe to determine which are the biggest problems affecting that brand’s customers. It also allows a focus on which bad actors are using the templates and how they are taking advantage of the Internet infrastructure available to them.
In 2016, you have already heard many warnings about IRS phishing. This blog post further demonstrates that, not only is it a large and growing problem, there are many different phishers and different toolkits being used to exploit U.S. tax payers. Be on the lookout for all of these types of scams, and be sure to let us and the IRS know when you see a new phish. Be sure to forward the email to firstname.lastname@example.org and to email@example.com.