Taxing times to fend off cyber fraud
Cybercriminals are launching sophisticated attacks on federal agencies and companies to collect the treasure trove of personal information contained in tax returns
BY KAREN EPPER HOFFMAN
Tax time might be tough on businesses and individuals, but it’s especially hard on the Internal Revenue Service and other government agencies that handle tax-return information.
Wily cybercriminals eager to exploit the chaos that surrounds tax filing by stealing data-rich returns are putting the IRS on the defensive and forcing it to temporarily shut down data-retrieval tools.
In testimony before the Senate Fi- nance Committee in April, IRS Com- missioner John Koskinen revealed that hackers had recently exploited the online tool that transfers parents’ fi- nancial information to the Education Department’s Free Application for Fed- eral Student Aid form, putting nearly 100,000 people at risk of identity theft. (About 20 million people filed a FAFSA from 2015 to 2016.)
Given that there are more than 200 ways in which the IRS shares or allows individuals to share tax data with finan- cial firms, lenders, employers and other government agencies, it is not surpris- ing that vulnerabilities exist.
“The attacks against FAFSA’s data re- trieval tool are a good example of how attackers will go after the weakest link to get what they want,” said Matias Woloski, co-founder and CTO at Auth0, an identity management company. “In this case, they were after previous tax returns, which are rich in personal data \[and\] useful for identity theft as well as filing fraudulent tax returns this year.”
Although the IRS has not released details about how the system was mis- used, the most likely scenario is a weak authentication mechanism used by the FAFSA system, Woloski said. “It almost certainly did not require multifactor authentication and may have allowed for easy-to-guess password reset ques- tions,” he added.
Another possibility is that attackers launched email phishing campaigns against FAFSA applicants. “It’s not hard to search social media to find kids who are likely to be going through the finan- cial aid process,” Woloski said.
‘Thin-skinned piñatas’
John Bambenek, threat intelligence manager at Fidelis Cybersecurity, said attackers are simply targeting where information and money flows — often to and from the IRS and companies or other federal agencies that exchange tax information.
Criminals target the records of peo- ple under 25 because they’ve typically had fewer addresses or employers and, therefore, present less of a verification problem for fraudsters, said Vitali Kre- mez, director of research at Flashpoint. “Tax fraud is typically much safer than stealing a credit card,” he added, be- cause the chances of getting caught or prosecuted for tax fraud are lower.
“The increase in fraud attempts not- ed by the IRS is reflected in the level of chatter we’ve observed on dark web and criminal forums,” said Michael
Marriott, a research analyst at Digital Shadows. Furthermore, the attacks are largely fueled by the increased avail- ability of personally identifiable infor- mation online.
The overall richness and exploitation potential of tax records are key reasons why the government is becoming a hot spot for hackers, said Stu Sjouwerman, founder and CEO of IT security com- pany KnowBe4. A credit card number might sell for 50 cents to $1 on the dark web and a health care record might gar- ner $60 to $80, but the personal infor- mation needed to file a tax return and collect an ill-gotten refund can fetch as much as a few thousand dollars.
“Vast and rich data repositories with- in government agencies represent well- stuffed and thin-skinned piñatas to cy- bercriminals,” said David Vergara, head of global product marketing at VASCO Data Security. Out-of-date systems and security measures allow hackers to use a variety of attacks, ranging from social engineering and phishing emails “to literally dozens of password-cracker tools, shared across hacker networks online, to compromise static pass- words,” he said.
In his comments before the Senate, Koskinen said the IRS began working with the Education Department in Oc- tober 2016 to mitigate such scams and attacks. By early this year, however, he said both agencies realized that online fraudsters were still able to compro- mise the system.
GCN MAY 2017 • GCN.COM 41
SHUTTERSTOCK