F R A U D R E P O R T

PHISHING IN SEASON – TAX TIME MALWARE, PHISHING AND FRAUD

April 2013

As cybercriminals will have it, phishing attacks are quite the seasonal trend. It seems that

every April, after showing a slight decline in phishing in the first quarter of the year, they

wake up and get back to work on vast spam campaigns that take advantage of tax-filing

season.

This time of year brings a few flavors of spam into the mailboxes of online users,

including malware attachments that appear as communications such as tax statements or

unclaimed refunds. In this special highlight, we will cover the main types of online threats

we often see during the tax filing season, most of which are already rampant in the wild.

Tax Authority Phishing Themes

Although phishing is most often a direct attack, targeting account holders by presenting

them with messages from their online banking provider, indirect phishing can be just as

efficient, if not more.

In these scams, phishers will create an email appearing to come from the local tax

authority, encouraging taxpayers to browse to a (phishing) page where they will be

tricked into believing they are opening an online account, updating their personal

information, contesting a fraudulent statement or receiving a refund.

Phishers use the taxation entity’s credibility and authority in order to ask victims to part

with their personal information, address and phone details as well as account

information, access to online and phone banking, as well as complete credit card details.

Those attacks can be very elaborate and eventually allow criminals to devise a wider

array of identity theft scenarios, including loan and credit card application, fraudulent

ecommerce purchases, fraudulent tax filing, and bank account takeover.

page 2

Malware Hidden In Tax-Themed Emails

Another very popular threat during tax season is malware-laden email, purporting to

come from a tax authority, usually with a threatening message urging the user to

download and open an attachment. The file is actually a Trojan executable, which can

sometimes be revealed by simply looking at the file extension, like in the image below.

Note that the file extension is .pdf followed by .exe – a Trojan executable file.

One of the malware campaigns currently active in the wild is spreading the Brazilian

Banker Trojan (“Bancos”) under the guise of a message from the fiscal authority in Brazil.

Tax-Themed Malware Spam

Email purporting to come from tax authorities, urging users to download and open an attachment.

Tax-Themed Phishing

Elaborate phishing page designed to steal access credentials and personal financial information

page 3

Here too, it is easy to see that the fake file extension is not really a Microsoft Word

document (.docx), but rather an .exe hiding the Trojan’s executable.

Online Tax-Filing Scams

Since tax authorities have been allowing taxpayers to file their annual declarations with

online service providers, criminals have been increasingly interested in phishing for

access credentials to victims’ user accounts in hopes of rerouting the refund payments

that may be due.

In many cases, fraudsters check if the potential victim has already filed the return, and if not,

they will proceed to filing a false declaration in the victim’s name, using numbers that will

result in a refund, and then attempt to have the expected payment sent to a prepaid card or

an account they control. The U.S. Internal Revenue Service reported it saw an 80% increase in

tax-return fraud between 2011 and 2012 – a number that is likely to continue growing.

One of the present campaigns running in the wild falsely alerts taxpayers that their return was

rejected, all while delivering a Trojan attachment (.exe) in the guise of an archived file (.zip).

Taxpayer User Account Takeover Attempts

In this last example of tax-themed online threats, some riminals, usually operating locally

and versed with the regional processes, will attempt to phish a taxpayer for his access

credentials to the tax authority’s web services.

Tax-Themed Malware Spam

Email purporting to come from Brazilian tax authorities, urging users to download and open the concealed Bancos Trojan

Online Filing Scams

Email to tax filers that a refund has been rejected and lures them to download a file with hidden malware.

page 4

From there, the criminals will attempt to gain insight into amounts possibly due to the

victim, find out if they already filed a tax return, attempt to modify the account refund(s)

should be sent to, or in other cases, create a fake account with an online tax filing service

to submit a bogus return in order to yield a refund.

The actual phishing can be carried out online, by directing taxpayers to click and browse

to a hyperlink inside an email, or by opening the attack locally – a local HTML phishing

scam that will appear on the victim’s PC.

In the following image, the taxpayer received an HMTL file inside the email – containing

the phishing page. The URL that will appear when opening that file, will show a local path

on the user’s PC. Once harvested, data from such “standalone” attacks will end up being

sent to the phisher thereafter.

CONCLUSION

Although phishing attack numbers can fluctuate monthly and depend on factors that are

harder to predict, trends such as annual tax filing season remain rather consistent.

Tax-filing season is probably one of the most popular times of the year for phishers to hit

taxpayers with spam and malware infections since tax authorities can be a driver that

would make people react quickly to emotional triggers such as:

– Entitlement – expecting a tax refund and wishing to receive it ASAP

– Anxiety – being faced with the (false) accusation of a rejected/fraudulent statement

and wanting to rectify the issue

– Sense of obligation – having to comply with the civil obligation to report to the

taxation authorities

In terms of the time-span for this seasonal trend, tax deadlines typically fall on April 15,

but fraudsters are known to begin sending this type of spam in February and continue

spreading the campaigns well into May and June, in the shape of fake returns and bogus

rejected/fraudulent statements. This phenomenon is often reflected in phishing attack

spikes recorded annually through Q2. Just as financial institutions have been active in

educating online users, tax agencies have also started similar campaigns to warn

consumers to be alert during tax season.

Tax Authority Online Service Takeover Attempt

Email purporting to come from a tax authority, hosting a standalone phishing attack to harvest taxpayer information.

page 5

Phishing Attacks per Month

RSA identified 24,347 phishing attacks

launched worldwide in March, marking an

11% decrease in attack volume from the

previous month, yet a 27% increase year-

over-year in comparison to March 2012.

Number of Brands Attacked

In March, 260 brands were targeted in

phishing attacks, marking a 1% increase

from February. Of the 260 targeted brands,

46% suffered five attacks or less.

0

10000

20000

30000

40000

50000

60000

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

19141

3555837878

51906

59406

49488

3544033768

41834

29581 3015127463

24347

Mar 12

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

0

50

100

150

200

250

300

350

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

303288 298

259242

290

314

269284

257

291

257 260

Mar 12

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

page 6

Top Countries by Attack Volume

The U.S. was targeted by about half of all

phishing volume in March. The UK

accounted for 13% of attack volume while

South Africa experienced an increase with

9% of attack volume. After the UK, the

Netherlands was the country in Europe

that endured the second highest attack

volume in March at 5%.

UKGermanyChinaCanadaSouth KoreaAustraliaa

United Kingdom 13%

U.S. 49%

South Africa 9t%

Canada 4%

Netherlands 5%

India 4%

38 Other Countries 16%

US Bank Types Attacked

U.S. nationwide banks saw a slight decline

in attack volume in March – decreasing 6%.

However, credit unions saw a relatively

sharp increase, more than doubling from

8% to 17%. On occasion, phishers like to

change up their attack methods and go

after less targeted financial institutions,

attempting to see if online/phone banking

security measures with these banks could

be more easily exploited.0

20

40

60

80

100

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17%

30%

11%

18%

12%

15% 15% 14% 14%

9% 15%

15% 23% 23%

58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60%

Mar 12

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

page 7

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

Top Countries by Attacked Brands

U.S. brands were once again most targeted

by phishing in March, experiencing 27% of

attack volume. Together, brands in the UK,

Australia, India and Brazil accounted for

25% of attack volume.

Top Hosting Countries

In March, the U.S. hosted just over half of

all global phishing attacks, followed by

Germany, Canada and the UK. Colombia

hosted 3% of phishing attacks during the

month. U.S. 51%

57 Other Countries 28%

Germany 6%

Canada 5%

Colombia 3%

Netherlands 3%

United Kingdom 4%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

United Kingdom 12%

39 Other Countries 48%

U.S. 27%

Brazil 4%

India 3%

Australia 5%

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. APR RPT 0413