At a glance.
- UK, US tax agencies alert tax preparation services to social engineering threats.
- Yandex investigates insider's theft and sale of user data.
- Data breach reported at Syracuse University.
- Brazilian authorities investigate apparent telco data breach.
- Data breach at Canadian car rental company.
- Notes on US Customs and Border Protection's facial recognition trials.
Nothing is certain except death, taxes, and data theft.
As April approaches, Americans find themselves drowning in the annual slog of tax season. Further complicating matters, the US Internal Revenue Service has issued a warning that identity thieves are taking advantage of the rush to file tax returns by attempting to steal tax preparers’ Electronic Filing Identification Numbers (EFINs), reports Bleeping Computer. A phishing campaign using emails with the subject line "Verifying your EFIN before e-filing" is attempting to convince tax officials to email cybercriminals documents containing their tax credentials. If the attackers succeed, they can then use the EFINs to impersonate tax professionals and file for fraudulent tax refunds. The announcement, which also warns against ransomware attacks, continues, “Some thieves also pose as potential clients, an especially effective scam currently because there are so many remote transactions during the pandemic.”
Meanwhile across the pond, the end of the month of January heralded the close of the UK tax season, which means citizens are anxiously awaiting notice of their tax refunds. Naked Security reports, an SMS-based phishing (or smishing) campaign is underway that involves a text message masquerading as a tax refund notification from Her Majesty’s Revenue and Customs (HMRC). This particular scam is surprisingly convincing, as the hackers have created believable facsimiles of HMRC webpages, complete with Covid warnings to add a touch of timeliness. The only giveaways are the lack of a .gov.uk domain (which is nearly impossible to obtain unless authorized) and a few grammatical errors.
We heard from some industry sources about the annual recurrence of tax scams. Erich Kron, security awareness advocate at KnowBe4, wrote:
“Tax scams are expected during the first quarter of each year. They are as inevitable as paying taxes. These scams use a multitude of scenarios that individuals and organizations face each year, as they work through the often confusing, stressful and frustrating task of figuring out how much they will owe or will get refunded, by the government. This stress and confusion only serve to make the scammers' job easier.
"These tax-themed email phishing attacks are a powerful tool for cybercriminals to steal sensitive information such as social security numbers or bank account information, redirect payments or steal credentials that will allow them to file fake tax returns.
"To defend against these scams, educating people about the types of scams occurring and the red flags, such as links that go to different websites when you hover over them, unexpected requests for sensitive information such as login information or social security numbers, is critical. If this information is requested, the person should contact the requester at a known good phone number or other methods besides replying to the email to confirm the request. If something in an email, phone call or text message triggers a strong emotional reaction, the recipient should be very careful when proceeding.”
Purandar Das, CEO and co-founder of Sotero Software, noted in an email that, while this may well seem to be the usual stuff we see every late winter and early spring, there's a bit of a shift in approach and targeting:
“This is another attempt at how criminals continue to evolve their trade. On the face of it, it appears as though this a new scheme. In reality, it is the same old phishing scam targeting a new area. This is a cat and mouse game in many ways. As organizations attempt to fix a previous fault, criminals adapt and target the “fix”. What this demonstrates is, that criminals are more nimble and can adapt faster. Awareness is certainly a key aspect of addressing this issue. Making consumers and individuals less susceptible to manipulation is critical. The other aspect of this, is rethinking the technology and security implementations. Building and designing solutions that enable consumers to be in control of their data is one. Enabling a secure process of accessing and enabling second party access is another. Revisiting technology platforms that are more flexible and implementing a continuous improvement focus on security has to happen.”
Abhay Bhargav, CEO at we45, also commented, with an email that emphasized the seasonality of this and other phishing trends:
“This is not uncommon, as a standard seasonal phishing attack. During special events or at certain specific moments in time, phishers leverage that event as an opportunity to financially cash in on the event. In this case, clearly the objective is to deploy malware on the tax preparer's machines and cause some data exfiltration over time. This is valuable data, from an attacker's perspective. By compromising tax filing professionals, there could be several possible outcomes, including:
- "Highly confidential detail of the tax preparer's clients and their personal and financial information.
- "Access to Banking Information and possibly credit card information of the clients”
Yandex employee sells user accounts.
The data of nearly five thousand users were compromised when an employee of Yandex, Russian email provider and search engine, sold user email accounts to unauthorized third parties, reports ZDNet. The breach was discovered during routine screening by Yandex’s security team. As the investigation unfolds, Yandex has begun the process of contacting the impacted individuals, securing affected accounts, and tightening administrator access to protect against future leaks.
Syracuse University breach exposes student data.
Syracuse University, located in the US state of New York, suffered a data breach in which the names and social security numbers of 9,800 students, alumni, and applicants were exposed, Campus Security & Life Safety reports. The incident occurred in September when an unauthorized party gained access to an employee account. An investigation in January revealed that private info was present in the account, but it is unclear whether the cybercriminal viewed or downloaded it. The University is responding by providing credit checks and beefing up employee training, but so far there has been no campus-wide announcement, and it is unclear why the school waited so long to inform the exposed individuals.
Two Brazilian mobile phone carriers deny breach.
A cybercriminal claims he has obtained the data of over 102 million mobile phone lines from Brazilian phone carriers Vivo and Claro in what Brazil’s National Data Protection Authority (ANPD) has deemed the second largest breach in the country this year, reports ZDNet. The compromised information includes names, taxpayer registration numbers, phone logs, and even information regarding president Jair Bolsonaro. Vivo and Claro, however, are denying that a breach occurred, and cybersecurity firm Psafe hasn’t yet found evidence that the carriers were involved. The ANPD is working with the Federal Police to determine exactly what happened.
Canadian car rental company victim of ransomware attack.
Popular Canadian automobile rental company Discount Car and Truck Rentals was hit with a ransomware attack carried out by cybercriminal gang DarkSide, BleepingComputer reports, and the incident has shut down the company’s online rental website. In a statement on DarkSide’s data leak site, the gang claims they stole 120GB of data and, as evidence, released screenshots of Discount’s folder list. A spokesperson for Discount, which is owned by US-based car rental giant Enterprise Holdings, told IT World Canada, “A fully-dedicated team isolated and contained the attack quickly. The team is working to investigate and restore service as quickly and safely as possible.”
Notes on facial recognition trials.
US Customs and Border Protection's Trade and Travel Report Fiscal Year 2020 continues to draw attention, not the least for the low rate at which its facial recognition tools detected impostors at ports of entry. CBP reads this as a success, its critics as evidence of failure. It's probably more complicated than that. Stuart Sharp, Vice President of Technical Services at OneLogin, wrote to comment on the report:
“We should not assume that the CBP facial recognition tools have failed simply by a lack of impostor identification, as this may simply be the result of fewer individuals attempting to enter the country as a result of Covid. Nevertheless, while biometrics have a role to play in identification, it does face significant limitations. Most people don’t realize that biometric authentication relies on a probabilistic model, not [a] deterministic [one]. When comparing a facial or fingerprint scan to the stored value, the system accepts a degree of variation. This is called the False Acceptance Rate (FAR) metric, which is the probability that the system will incorrectly identify a user as valid. Realizing that facial recognition is simply verifying that the scan is ‘similar’ to the stored image, you can see that there is a real risk that the CBP tools are not detecting skillful impostors.“