April 14, 2014

Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The "drops" page of this tax  fraud operation lists the nicknames of the co-conspirators who agreed to "cash out" funds on the prepaid cards generated by the bogus returns -- minus a small commission.

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.”


I spoke at length with Doug, a 45-year-old tax fraud victim at a company that was listed in the attacker’s control panel. Doug agreed to talk about his experience if I omitted his last name and his employer’s name from this story. Doug confirmed that the information in the attacker’s tax fraud panel was his and mostly correct, but he said he didn’t recognize the Gmail address used to fraudulently submit his taxes at H&R Block.

Doug said his employer recently sent out a company-wide email stating there had been a security breach at a cloud provider that was subcontracted to handle the company’s employee benefits and payroll systems.

“Our company sent out a blanket email saying there had been a security breach that included employee names, addresses, Social Security numbers, and other information, and that they were going to pay for a free year’s worth of credit monitoring,” Doug said.

Almost a week after that notification, the company sent out a second notice stating that the breach extended to the personal information of all spouses and children of its employees.

“We were later notified that the breach was much deeper than originally suspected, which included all of our beneficiaries, their personal information, my life insurance policy, 401-K stuff, and our taxes,” Doug said. “My sister-in-law is an accountant, so I raced to her and asked her to help us file our taxes immediately. She pushed them through quickly but the IRS came back and said someone had already filed our taxes a few days before us.”

Doug has since spent many hours filling out countless forms with a variety of organizations, including the Federal Trade Commission, the FBI, the local police department, and of course the Internal Revenue Service.

Doug’s company and another victim at a separate company whose employees were all listed as recent tax fraud victims in the attacker’s online control panel both said their employers’ third-party cloud provider of payroll services was Weston, Fla.-based Ultimate Software. In each case, the attackers appear to have stolen the credentials of the victim organization’s human resources manager, credentials that were used to manage employee payroll and benefits at Ultipro, an online HR and payroll solutions provider.

Jody Kaminsky, senior vice president of marketing at Ultimate Software, said the company has no indication of a compromise of Ultimate’s security. Instead, she said Doug’s employer appears to have had its credentials stolen and abused by this fraud operation.

“Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Kaminsky said. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”

Kaminsky continued:

“Unfortunately incidents of tax fraud this tax season across the U.S. are increasing and do not appear to be limited to just our customers or any one company (as I’m sure you’re well aware due to your close coverage of this issue). Over the past several weeks, we have communicated multiple times with our customers about recent threats of tax fraud and identity theft schemes.”

“We believe through schemes such as phishing or malware on end-user computers, criminals are attempting to obtain system login information and use those logins to access employee data for tax fraud purposes. We take identity theft schemes extremely seriously. As tax season progresses, we have been encouraging our customers to take steps to protect their systems such as enforcing frequent password resets and ensuring employee computers’ are up-to-date on anti-malware protection.”


According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It’s important to note that fraudsters engaged in this type of crime are in no way singling out H&R Block or Ultipro. Cybercrooks in charge of large collections of hacked computers can just as easily siphon usernames and passwords — as well as incomplete returns — from taxpayers who are preparing returns via other online filing services, including TurboTax and TaxSlayer.

If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

The most frightening aspect of this tax crimeware panel is that its designers appear to have licensed it for resale. It’s not clear how much this particular automated fraud machine costs, but sources in the financial industry tell this reporter that this same Web interface has been implicated in multiple tax return scams targeting dozens of companies in this year’s tax-filing season.

105 thoughts on “Crimeware Helps File Fraudulent Tax Returns

  1. Otto

    When ROI is the driving force in outsourcing services, the SaaS companies give you what you pay for. And as usual, it is security that is not accounted for in the ROI. That’s not the fault of the SaaS companies…

    It seems that number of companies that had have their UltiPro services exploited did not subscribed to the PingOne SSO service, that integrates SAML based authentication to the SaaS applications. Provided the AD password policy meets the standard requirements and access to the a given company’s HR system is restricted by source IP, the chances are that would have been harder to exploit. Not impossible, but not as easy as the hackers made it look. Albeit, in the world of consumerization of IT, restriction by source IP is hard to sell nowadays…

    UltiPro having the PingOne SSO service as additional service is also questionable. Shouldn’t this service be part of the basic package like it used to be, when SAML integration started to pick up?

  2. Harry

    it looks like the IRS is actually starting a pilot program with Identity Protection PINs in certain states (http://www.irs.gov/uac/Newsroom/2014-Identity-Protection-PIN-%28IP-PIN%29-Pilot)

    IP PINs are different than regular e-file PINs (which can be used in place of self select PINs or last-year’s adjusted Gross income info).

    However, i don’t necessarily see how a static/permanent 6-digit PIN will hold off the criminals for long. Just like a 9-digit SSN# hadn’t so far.

    Perhaps something on the order of a OTP such as google-authenticator, RSA key, or Yubikey will be required in the future; while these are not foolproof either, they are light years ahead from “PINs” and will make it much, much harder for criminals to abuse tax filings.

  3. Serena

    While doing some searching last night I found that there’s UltiPro for iPhone. Would it necessarily be easier to steal credentials if the person is accessing UltiPro through a phone?

  4. Eric

    The IRS has addresses from the W-2, how hard is to flag returns going to other addresses, especially if they are out-of-character for the filer/on cards? Seems like the IRS forced the banks to institute all of these KYC rules over the past decade but didn’t wise up themselves one bit.

    1. qka

      The problem is that these refunds are electronic transfers going to electronic addresses.

      The IRS is very much pushing this for everyone, rather than paper checks by US Mail.

      Having a street address is meaningless in this context.

  5. Dennis Jugan

    // Seems like the IRS forced the banks to institute all of these KYC rules over the past decade but didn’t wise up themselves one bit. //
    It seems straightforward to infer that this statement concurs with best practice; but if you’ve had reason to observe IRS operations “up close and personal” it becomes very clear. My epiphany occurred during a recent audit. Don’t mistake my comments as being critical of the rank and file who labor daily in the trenches. They are often maligned unfairly.

    Just as the tax code in the U.S. is dysfunctional, so are matters inside this agency. Politicians and appointees are usually the genesis for this dysfunction. The IRS is understaffed, outgunned, and operates with IT systems that are outdated, incomplete, and/or inadequate.

    Adding insult to injury, they’ve had staffing cuts numbering some 10,000 members to reduce agency expenses by $1 billion dollars. Unfortunately, it’s estimated that these cuts result in an estimated loss of some $8 billion per annum in revenue.

    “Feared but Failing” is an adequate assessment.



    1. Mike

      I work in an anti fraud role and we are constantly playing catch up to the crooks. As soon as one scheme is discovered, another one is invented and the IRS and private companies have to institute new measures. My wife worked for a time at tax preparer and realized that the IRS relys on them for some of the security which is a mistake because they are just trying to get as much turnover as possible.

  6. Jon

    TurboTax, H&R Block, Ultimate Software, and similar companies should offer multifactor authentication to their websites. A username and password are not enough to secure this type of data.

  7. chaz

    It seems the IRS gambit is designed to have the refund go to a fictitious electronic transfer destination. IE: a checking, saving or some other E account assumed to belong to a legitimate tax filer. What would it take to park an APP in the IRS system that cross matches previous electronic accounts belonging to filers (employees/individuals/businesses) with the payment destination pitched by the fake filers. If there is no match the return will be flagged and subject to verification. Any “new” E account for that particular tax year, will automatically be subject to a “prove it” request by the IRS before payment is forwarded and could help prevent the impersonators from reaching the end game.

  8. It's been stolen

    I’m wondering how “Doug” got any info regarding the fraudulent filing from the IRS? Also, who did he contact at the FBI? I could really use some advice because this just happened to me. The IRS refuses to give me any details.

    I just found out on Friday that this happened to me. E-filed thru HRB on 4/13. Had an email a few days later saying that IRS rejected my filing, which I didn’t see until Friday, because I got a confirmation that my e-file was transmitted. Thinking it was some glitch, I called IRS and after waiting 45 minutes to speak to a human, was informed very nonchalantly that someone already filed a return using my name, SS# and DOB. The IRS would not tell me anything about when the fraudulent filing took place, what the salary was, what address they used, etc. What’s really “funny” is that I am disabled and have not been employed since 2004. Apparently the fact that I’ve filed married/joint since 2005 and have been on SSD since 2004 and “I” was suddenly filing single with some source of employment income sent up no flags at all. I’m wondering what WOULD cause an alert for a review of a return? Apparently nothing. If the criminals are using HRB to e-file, and I’ve used HRB to e-file, could it be that HRB’s database was compromised?

    The worst part of this is that our refund is really from my husband’s income and now he has to wait for what’s owed to him, because someone stole MY info. The thief doesn’t have “my” or “our” money. They have the government’s money. The income they filed is not based on my husband or me. We shouldn’t have to wait for my husband’s money while they do whatever it is they’re going to do.

    1. Deborah S

      I’m on disability too, and reading all these comments has me committed to filing in January every year from now, even though I will owe no taxes and have no refund due. It boggles my mind a bit, since everyone on Social Security with no other income is in the habit of never filing, and how the bad guys could claim refunds for every single one of them every year. And likely they wouldn’t be audited because all the dollar amounts are so low, but they would add up fast and no one would be the wiser.

      Probably no one has done this, but they could. I expect to get well from my illness and earn enough to owe taxes again someday, and I sure don’t want to find out that someone has been spoofing my identity with the IRS. Filing as early as possible stops all that from ever happening.

      1. It's been stolen

        Deborah S, if only it was “just” as bad as them filing a fraudulent tax return for a refund.

        With your soc sec #, name, and date of birth, they can get other info, apply for loans, get credit cards, use your name if arrested for crimes, change your address on accounts, and the list goes on. It’s the golden ticket, the key to access just about anything.

        Speaking from personal experience, this is absolutely devastating and the time I’ve spent hours so far and have only just begun the notification process.

        It’s positively disgusting.

        Everyone should order their free credit report once a year, just to make sure there’s nothing on it. This type of crime will become even more commonplace as more and more info is online, and companies will not bother to keep their security software updated because they don’t want to spend the $$$.

        1. Deborah S

          Oh yes, I was a bit naive in not thinking of everything else they could do if they know enough about you to file taxes with your identity. Your advice to check your credit report at least once a year is spot on, or use a free service like Credit Karma to monitor it for you. (They make money peddling credit offers to you, but you don’t have to accept them.) But in general, this is all surveillance of your accounts and financial presence in the world that you should be doing anyway. It takes so little time(10-15 min, every 2-3 weeks in my case), but the payoff in stopping something before it gets out of hand makes it very worthwhile cheap insurance.

          1. It's been stolen

            I just called Equifax to place the Initial Fraud Alert on all 3 reporting companies, and they told me I needed a monitoring service that’s $16.95 a month.

            I have a feeling they just took advantage of my emotional state in order to sell a product.

            I’m not usually naive, but I feel like I was pushed into something I might not actually need?

            Gah, isn’t there anyone honest out there anymore?

            1. BrianKrebs Post author

              I sincerely hope you didn’t pay for credit monitoring services from them. There is no cost for a fraud alert. It’s free, by law. If Equifax gives you the runaround, contact one of the other reporting bureaus. The one you file a fraud alert is required to alert the other two.

              Also, do it over the internet, which is easier and you avoid the hard sell.

              1. It's been stolen

                Yep, this was all through Equifax. I even told the rep that I felt he was just trying to sell me a product. He told me I needed it.

                I am calling them right now to cancel it.

Comments are closed.