The sophistication of IRS scams and phishing attempts targeting taxpayers and exploiting the IRS brand emphasizes the ongoing need for securing personal and financial data. These deception scams skillfully spoof the IRS to mislead the general public, playing on their trust and the complexity of tax law.
Bolster researchers discovered multiple scams in which phishing websites and phishing kits were used to impersonate the IRS and lure victims into disclosing sensitive information such as credit card details and Personal Identifiable Information [PII] including their name, email, address, phone number, and social security number.
Anatomy of Operations
Findings of IRS Scams
Bolster researchers discovered multiple phishing websites and a phishing kits on the CheckPhish platform that impersonated the IRS platform. The websites and the phishing kit were designed to collect and store victims’ personal and financial information, including social security Numbers, credit card details, and contact information.
Learn more about Checkphish, a free phishing link checker used to scan suspicious URLs.
The phishing kit was sophisticatedly designed to prevent clicks, which hindered the victim’s ability to recognize the page as a phishing attempt.
Analysis of Phishing Kit
This PHP script is part of the IRS phishing scam that collects and stores victims’ personal and financial information, before redirecting them to another page (apparently to perpetuate the hoax).
This JavaScript code disables specific keyboard shortcuts using the CTRL and ALT keys in a web browser, preventing users from copying, pasting, or doing other basic keyboard actions, most likely to impede the discovery or analysis of a phishing or malicious webpage.
| IOC’s | |
|---|---|
|
Website |
sa.www4[.]IRS[.]gov |
|
IP |
104[.]248[.]232[.]188 |
|
File Hash |
7041935e254f2628ab27ec53e6b3f784eb156a355a7368945815bad2dad01376 |
|
File Type |
ZIP file |
|
Name |
irsus.zip |
|
Shell Commands |
|
Analysis of the Phishing Website
Under the pretence of improving security, it was discovered that the fraudulent websites instructed their victims to exit their browser window after completing an activity. These fraudulent websites were designed to capture and save input data directly to a text file.
Furthermore, to make the scam appear legitimate, victims were erroneously instructed to expect their tax refund within 3 to 7 days—a ploy meant to delay suspicion and detection of the fraud.
| IOC’s | |
|---|---|
|
Website |
hxxps://www[.]starportgame[.]com/login[.]IRS[.]gov hxxp://fecnet[.]com/wp-includes/page4 hxxp://tr-2023-1[.]xyz hxxp://irs-security[.]com hxxp://irsgov-us[.]org hxxp://atm-i[.]com/irs/?access |
|
IP |
66[.]115[.]166[.]232 162[.]241[.]218[.]97 104[.]21[.]5[.]87 116[.]80[.]11[.]70 |
|
Credential Store File |
hxxps://www[.]starportgame[.]com/login[.]IRS[.]gov/taxeusa.txt |
MITRE ATT&CK
Understanding the tactics and techniques is critical for creating strong security measures and preventing potential threats. The Mitre TTP, after analysis of the phishing pages and phishing kit, is given below:
| ID | Tactic | Technique | Procedure |
|---|---|---|---|
|
T1591 |
Reconnaissance |
Gather Victim |
Using urgent tax-related topics to induce involvement, attackers clone the IRS |
|
T1566 |
Initial Access |
Phishing |
Adversary uses sophisticatedly-written emails and SMS and websites that impersonate the IRS, taking advantage of tax season pressures in order to deceive people into clicking on deceitful links redirecting them to fake IRS websites. |
|
T1204 |
Execution |
User Execution |
Victims are misled into disclosing personal and financial information by interacting with fraudulent IRS pages, assuming they are conducting legitimate tax-related operations. |
|
T1562 |
Defense Evasion |
Impair Defenses |
The phishing kit uses strategies to avoid detection, such as blocking browser capabilities and evading keyboard shortcuts, to ensure the scam’s persistence. |
|
T1656 |
Defense Evasion |
Impersonation |
The IRS fraud entails developing phony IRS websites, SMS messages, and emails that closely resemble authentic ones and then effectively impersonating the IRS. |
|
T1056 |
Credential |
Input Capture |
Phishing pages and kits use PHP scripts and JavaScript to acquire sensitive data such as Social Security and credit card numbers via form submissions and keypresses, thereby gathering victims’ credentials and personal information. |
|
T1056 |
Credential |
Input Capture |
Phishing pages and kits use PHP scripts and JavaScript to acquire sensitive data such as social security and credit card numbers via form submissions and keypresses, thereby gathering victims’ credentials and personal information. |
|
T1565 |
Impact |
Data |
The obtained personal and financial information is used for fraudulent activities such as identity theft and illegal financial transactions. |
Impact & Mitigation
| IMPACT | MITIGATION |
|---|---|
|
Breach and loss of Personal Identifiable Information [PII] such |
Never reply to unexpected correspondence via calls, texts, emails, or social media posts, and always make sure that any individual contacting you about your taxes is legitimate. |
|
Personal Identifiable Information [PII] sold on dark web forums for identity fraud, tax fraud, and financial fraud. |
Use the official IRS platform when filing your own taxes, and get in touch with authorities as soon as you see a duplicate tax return or receive a notification that more taxes are due. |
Conclusion
Staying alert and knowledgeable is crucial, as evidenced by the surge in intricate IRS phishing schemes. Individuals must recognize the warning signs of phishing attempts, and businesses must educate their staff and customers about these tactics.
By staying current on the latest scam methods and implementing comprehensive security measures, taxpayers can better defend themselves from deceptive schemes that seek to exploit their confidence and compromise important information.
Protecting personal and financial information is a shared duty in the digital age. Always confirm the authenticity of correspondence purporting to be from the IRS.
Appendix
