Scammers typically kick into high gear during tax season in the United States, which tends to bring with it a spike in phishing attacks that spoof the Internal Revenue Service.   Take, for example, a new scam making the rounds via email, which warns of discrepancies on the recipient’s income tax return and requests that personal information be sent via fax to a toll-free number.

A new phishing campaign that began sometime in the last 24 hours is made to look like it was sent from irs@irsonline.gov, and urges recipients to fill out, print, and fax an attached PDF tax form. From the scam email:

*This is in reference to your 2010 U.S. Individual Income Tax Return we seem to have some discrepancies with your filing. If you have already filed for your 2010  tax refund please get hold of a new form 1040 and
mail it to the  Department of the Treasury in your region.*

*If for any reason you have not yet filed for your 2010  Individual
Income Tax Return please print out the attached PDF form, fill it and
fax it to the IRS data center on (866) 513-7982 within 24 hours.*

*This has no bearing on your 2010 U.S. Individual Income Tax Return,
this to update our data and survey while we prepare to close the 2010
tax filing season.*

*Thank you *

That 866- phone number is currently returning a fast-busy signal, which suggests either that a lot of people are falling for this scam, or that anti-scammers are speed-dialing the number in a bid to prevent would-be victims from faxing in their forms. My guess is that this scam is tied to some kind of automated service that scans faxes and then emails the phishers copies of the scanned images.

It’s worth noting that the data requested in this bogus IRS form includes the Social Security number, e-File PIN and adjusted gross income, all of which are crucial pieces of information that the IRS uses to authenticate taxpayers.

The IRS has been careful to note that while it may conduct follow-up correspondence with taxpayers via email if the taxpayer chooses to communicate that way, it will never reach out to taxpayers via email. Consumers can report any tax-related phishing scams to phishing@irs.gov.

Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos.

According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May.

The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement.

All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)…

hxxp://qurl.com/zv9j7

….when clicked reverts to:

hxxp://www.irs.gov.vrddr.ru/fraud_application/directory/statement.php?tid=00000143073750US

….which takes the user to one of dozens of identical Web pages that spoof the IRS and encourage visitors to download and review their tax statement, which is of course a powerful and stealthy password-stealing program.

Warner said anti-virus detection for this malware is extremely low: Only three out of 40 different anti-virus products detected the file as malicious, yet none of those currently identify it for what it is: Another new version of the ZeuS Trojan.

These broad attacks usually are quite successful, and in the past they have been used to great effect by the same criminal gangs that have been stealing tens of millions of dollars from small to mid-sized businesses. In September 2009, I wrote about a landfill service company in New York that had $150,000 stolen from its online bank account after an employee opened one of these ZeuS-laden bogus IRS e-mails.

A word to the wise: Do not click on attachments included in unsolicited e-mails, especially those that encourage you to act quickly or else suffer some scary fate. These are almost universally scams or attempts to plant malicious software on your computer. Also, note that the IRS has stated emphatically that it does not communicate with citizens via e-mail.

I have written a great deal about how organized cyber gangs in Eastern Europe drained tens of millions of dollars from the bank accounts of small- to mid-sized businesses last year. But new evidence indicates one of the gangs chiefly responsible for these attacks managed to hack directly into a U.S. bank last year and siphon off tens of thousands of dollars.

On July 30, 2009, at least five individuals across the United States each received an electronic transfer of funds for roughly $9,000, along with instructions to pull the cash out of their account and wire the funds in chunks of less than $3,000 via Western Union and Moneygram to three different individuals in Ukraine and Moldova.

The recipients had all been hired through work-at-home job offers via popular job search Web sites, and were told they would be acting as agents for an international finance company. The recruits were told that their job was to help their employers expedite money transfers for international customers that were — for some overly complicated reason or another — not otherwise able to move payments overseas in a timely enough manner.

The money was sent to these five U.S. recruits by an organized ring of computer thieves in Eastern Europe that specializes in hacking into business bank accounts. The attackers likely infiltrated the bank the same way they broke into the accounts of dozens of small businesses last year: By spamming out e-mails that spoofed a variety of trusted entities, from the IRS, to the Social Security Administration and UPS, urging recipients to download an attached password-stealing virus disguised as a tax form, benefits claim or a shipping label, for example. Recipients who opened the poisoned attachments infected their PCs, and the thieves struck gold whenever they managed to infect a PC belonging to someone with access to the company’s bank accounts online.

In each of those attacks, when the attackers found credentials for commercial bank accounts, they would log in to the victim’s account and set up bogus payroll payments to the newly-hired financial agents — known to the criminals and law enforcement alike as “money mules.” I’ve also interviewed dozens of these mules, and each one I spoke with said the deposits they received were all accompanied by e-mail messages stating the amount and time of the transfer, as well as the name of the “client” whose money their employers were supposedly “helping” to move.  In every case, the name listed in the e-mail as the “client” was in fact a company that the thieves had looted (see Money Mule Recruitment Network Exposed for another example of this).

On July 30, 2009, the thieves sent out at least five payments totaling nearly $50,000 to five separate money mules. In each case, the name of the client listed in the e-mail message the criminals sent to alert them of the transfer read “FIRST SENTRY BANK,” suggesting that the theft was the result of a computer compromise inside of First Sentry.

I attempted numerous times to get a response from someone at Huntington, West Virginia based First Sentry Bank about the July attack. I left no fewer than seven phone messages and sent several e-mails to bank employees, explaining who I was and the reason for my inquiry. To this day, I have yet to receive so much as a “no comment.”

One of the money mules who helped move money out of First Sentry was a 65-year-old woman from Von Ormy, Texas, who spoke on condition of anonymity. She said she successfully withdrew the $9,099 sent to her from First Sentry, and wired it to three different individuals in Eastern Europe, as instructed. Four other money mules who also helped launder funds stolen from First Sentry said they also received similar amounts, and that their e-mailed receipts also listed First Sentry as the client. It is quite possible that the mules I spoke with represent a fraction of those who received funds in this attack: Some of the more than two dozen victims of this crime that I’ve chronicled lost upwards of $500,000.

The Von Ormy mule said she suspected the job may not have been legitimate, but decided she needed the money too badly to turn it down. She said she made about $500 off the transaction, after paying the fees to wire the money.

“I’m a senior citizen on a fixed income, and I hate to say it, but I did make some good money,” she said. “I knew it was too good to be true after making that doggone much money in one day, but it helped me out a lot.”

Below is the transaction message sent from the thieves to the Texas-based mule. Bobbear.co.uk, which does tireless work to track these scam Web sites, has a writeup here on the site used to recruit the Von Ormy mule.

—– Original Message —–

From: noreply@alliance-group.cc

To: [redacted]

Sent: Thursday, July 30, 2009 6:58 AM

Subject: Attention: Transaction 136282 – new task for you

Dear [redacted],

We are glad to inform you about a new task! Please review transfer details:

Date: 30.07.2009 12:56:01
Reference: 154226QL-30
Amount: USD 9099
Commission: USD 727.92 (8 %)
FROM: FIRST SENTRY BANK

Funds should already be there at your bank account. Please contact your bank urgently and confirm that the money is available for withdrawal.

The next thing you have to do is to inform your personnel supervisor about the task status and perform three basic actions:

1. LEARN MORE.
Make sure you’ve already read our detailed manual at: hxxp://alliance-group.cc/member/admin/job_instructions.php

2. WITHDRAW THE FUNDS.
Please visit your bank as soon as possible and withdraw the received funds. Usually this procedure doesn’t take more than 30 minutes.

3. TRANSFER MONEY VIA WESTERN UNION (MONEY GRAM).
After cash withdrawal you are to make transfer(s) at your local Western Union location(s). Commission (8 %) should be deducted from the received money. WU fees along with all other costs, such as bank fees, transportation costs, etc. are covered by you and are deducted from your commission.

* According to the contract terms, should your expenditures exceed 3% of the amount transferred, we’ll compensate you the difference. For more info, please read the EXHIBIT A part of the contract.

You are to make the following transfer(s):

Type: Money Gram
Amount: 2790 USD
Recipient’s First Name: Igor
Recipient’s Last Name: Ilyin
Recipient’s City: Odessa
Recipient’s Country: Ukraine

Type: Money Gram
Amount: 2700 USD
Recipient’s First Name: VERA
Recipient’s Last Name: KSENOFONTOVA
Recipient’s City: Donetsk
Recipient’s Country: Ukraine

Type: Western Union
Amount: 2880 USD
Recipient’s First Name: Constantin
Recipient’s Last Name: Grozav
Recipient’s City: Chisinau
Recipient’s Country: Moldova

IMPORTANT: Before leaving for bank or WU you must read the detailed FAQ available HERE: hxxp://alliance-group.cc/member/admin/job_instructions.php

*We kindly ask you to specify purpose of WU transfer: family (if required). It will allow us to avoid delays connected with Western Union policy concerning business transfers.

**All transfers must be made in USD. Use MONEY IN MINUTES type only (not MONEY IN DAYS).

***We recommend to use 2-3 different locations to complete the transaction.

Sincerely,

Support Team
Alliance Group Inc
support@alliance-group.cc