Researchers see peak in off-season IRS-imitating phishing attacks

Enlarge / A fake IRS site used in a series of phishing campaigns that Akamai observed from August to October.

Akamai

Tax returns usually cease early in the year when they can convert victims’ personal information into fraudulent tax refund claims. But members of Akamai’s threat investigation found a recent increase in off-season phishing attacks, disguised as announcements from the Internal Revenue Service, targeting more than 100,000 people. The attackers used at least 289 different domains that host fake IRS websites – the majority of them legitimate sites that were compromised. This wave of attacks came as the October 15 deadline for people who had requested extensions was approaching.

According to a report from Akamai’s Or Katz, the phishing campaigns started in the second half of August, with the majority of the victims being targeted between August 22 and September 5. But the campaigns continued to start in October. Each of the fake websites used visually identical HTML pages, with randomly generated style tags and other content, in an effort to shed the detection of signatures by security software.

Most domains were active for less than 20 days. However, a significant number of them remained active after a month – not noticed by the owners of the sites. “The lack of maintenance on older websites, as well as the challenges of patching and removing injected content, explains the duration during which phishing pages can remain active,” Katz wrote.

This corresponds to research into phishing infrastructure by Ars, as well as other research by Akamai. Because of their age – and the lack of attention paid by their owners, who often pay someone to set them up and then forget to maintain them – older sites based on “legacy” versions of WordPress and other content management systems are a first target for phishing operators, because they have a higher reputation score than freshly beaten domains. Depending on the extent to which the site has been compromised, they can even create subdomains and register their own phishing site certificates.

With this type of scam that spreads throughout the year, it is worth reminding friends and family that the IRS is not emailing you or calling you about back taxes or other matters – those notifications will only be sent by paper mail sent, usually by registered mail. So don’t click.

Similar Posts

Leave a Reply