January 31, 2017

The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporations.

A cybercriminal shop selling 2016 W-2 tax data.

A cybercriminal shop selling 2016 W-2 tax data.

Pictured in the screenshot above is a cybercriminal shop which sells the usual goods — stolen credit card data, PayPal account logins, and access to hacked computers. But hidden beneath the “other” category of goods for sale by this fraud bazaar is an option I’ve not previously encountered on these ubiquitous, cookie-cutter stores: A menu item advertising “W-2 2016.”

This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

Each W-2 record costs the Bitcoin equivalent of between $4 and $20. W-2 records for employees with higher-than-average wages in the 2016 tax year cost more, ostensibly because thieves stand to reap a higher tax refund from those W-2’s if they successfully trick the Internal Revenue Service and/or the states into approving a fraudulent refund in the victim’s name.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Tax data can be phished directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately.

Incredibly, this scam tricks countless organizations into giving away all employee W-2 data directly to identity thieves who use it (or, in this case, sell it) for tax refund fraud. Earlier this month, solar panel maker Sunrun disclosed that a spear phishing attack exposed W-2 tax form data on more than 3,400 employees.

In this case, however, it does not appear the cybercrime shop obtained the W-2’s through phishing employers. It cost roughly $25 worth of Bitcoin to reveal the likely common thread among all 3,600+ Floridians being exploited by this shop: A local tax preparation firm that got hacked or phished.

Two tax records that a source purchased from the shop listed Kirai Restaurant Group LLC in Fort Lauderdale, Fla. Kirsta Grauberger, managing partner of that organization’s physical property — the Market 17 & Day Market Kitchen — confirmed that the two W-2 records were tied to two employees.

But Grauberger said her company has employed fewer than 150 employees total since it opened for business six years ago. So which other company or companies account for the remaining 3,450 employees whose W-2 are for sale by this shop?

Grauberger told KrebsOnSecurity that her firm doesn’t even handle employee tax forms, and that her company outsourced that entire process to a local tax preparation firm called The Payroll Professionals.

W-2 information also was on sale for employees of a doctor’s office in Boca Raton, Fla. The medical office told KrebsOnSecurity that it, too, managed its payroll through the same third-party payroll management firm.

A man answering the phone at Payroll Professionals who would only give his name as “Robert” said the company was “aware of the potential hacking” and was in the process of informing its clients.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can.

See last year’s Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache. But here are the main takeaways from that story:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. A freeze can help you stop ID thieves from opening new lines of credit in your name. Instructions for doing that are here. However, note that neither a credit freeze nor credit monitoring will stop ID thieves from filing a fraudulent refund request with the IRS in your name. Again, your best bet to prevent this is to file your taxes before the fraudsters can do it for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.


50 thoughts on “Shopping for W2s, Tax Data on the Dark Web

    1. Peter

      Brian gives the advise to file 14039 every year, but the problem here is that you are not supposed to do that unless you actually have been a victim or theer is direct cause you will be. The IRS does not have the capacity to process these kind of special returns for all Americans and residents.

      If you get accepted though, you’ll get the PIN automatically every year.

    2. Frank Rocap

      I got a PIN last year by request and received a new one for 2016 taxes without asking.

    3. Frank Rocap

      If you get accepted though, you’ll get the PIN automatically every year.

    4. MJP

      Paul, I believe once filed, the IRS will automatically send you a new annual pin. For how long I don’t know. I took Brian’s advice two years ago, received a pin, ard recently received a new pin for 2016.

  1. Steve R

    I am surprised they don’t go for more money considering how much they can be parlayed in to. And the worst type of phishing if you ask me.

    1. Bug

      I’m betting speed has to do with that. The clock is ticking. So you can either go for $100 a pop and maybe not sell at all, or sell cheap and churn the list more. It’s not a gold mine, more like a slot machine. Take what you can as soon as you can.

  2. IRS iTUNE cards (real)

    “virtually all of whom apparently reside in Florida” DOH!

    1. Annoymous

      Perhaps the list was sorted by state and he just happened to pick the Florida page to use as an example ?

      1. zboot

        I’m guessing you didn’t read the entire article. The source of the leak was identified. Which also answers why all of the records seemed to be from the same state. The payroll company likely primarily deals with local businesses which in turn, mostly have local employees on payroll.

  3. kelly

    The new IP Pin is sent automatically each year, by letter, in December.

  4. redguru

    DOT Form 14039 specifically requires in Section B “an explanation of the identity theft issue, how you became aware of it, and provide relevant dates.” (Fine if you’ve had an issue.)

    Also, Section D wants a clear and legible photocopy of your ID. Funny, but they will accept a Social Security Card. Arguably, one of the worst examples of Federal Issued Identification.

    Best advise is still…file early.

    1. Phil

      For the explanation, you might consider writing in the entire URL of this story…

  5. JJ

    Is it this company? http://www.thepayrollpros.com/about.html – “The Payroll Professionals Inc. is a family-owned payroll service bureau headquartered in Boca Raton, Florida.”

    If so, their “Client Log-In” and “Employee Self Service Login” links at the top go to an IP address using HTTP.

    It reverses to 66-29-253-146.ds1-static.mia1.net.ststelecom.com which according to SSL Labs has a CN of 192.168.168.168

    The cert is valid from 1970 until 2038 and the server header says “SonicWALL”.

    Sadly, they’ve been in business for 33 years so they’re probably very good at what they do and at a reasonable price but this could sink them if it’s really bad.

    1. web

      But they disabled right-click! Surely it’s secure enough؟

  6. Jewtopia

    “But Grauberger said her company has employed fewer than 150 employees total since it opened for business six year ago.”

    *years

    Thanks for the great article!

  7. IA Eng

    This system is broke. IF the government would grow a brain, there would be NO refunds. Tax the normal people on current waves and eliminate refunds.

    So what if a person owes more. The amount of savings overall is huge. It eliminates well over 75% of an avenue that seems unrepairable, saving the government, people of the USA and law enforcement a HUGE amount of hassle. Its not all about money – quality of life and less stress plays a big part in all this.

    1. IA Eng

      * wages

      Good old auto fill in thinks waves are better than wages. It might be right – If there is some eye candy and an ice cold beer within reach.

    2. Jon snow

      refunds come about do to tax deductions for kids, excessive medical costs, capital losses, charitable donations etc. also from incorrect witholding of which may not be noticed until w2 time, though for this instead of a letter designation for withholding they could use a percent.

      1. IA Eng

        So you’re happy with the sad state of affairs as is. Welcome to the procrastination of the united states. Think out of the box, it all can be adjusted and approximated. Its good for 75% percent of those that wouldn’t need to file. It’s crazy to think this solution of fraud and abuse will ever go away. It happens internally at the IRS as well as outside. Change the process, break the trend.

  8. Spanky

    And remember that you can file right away with incomplete information to fraud-block the scammers. Temporarily assign any refund to estimated taxes. File an amended return when you have all the paperwork and get your refund at that point.

    1. Muntzek

      Could you explain this in a bit more detail? Specifically, which form/line allows you to assign refunds to estimated taxes? How then does this prevent a scammer from filing a return after yours and still claim a refund?

      1. spanky

        Line 77 on a 1040. If a scammer is clever enough to figure out which returns have applied refunds to estimated taxes, they could certainly file an amended return, but I doubt it happens very often, if ever.

        As an alternative, make up some numbers that show you owe exactly $0. You are going to amend with correct numbers later.

  9. Bob

    Since Florida doesn’t have a state income tax, at least the people won’t have to worry about a fake state return being filed for them.

    I have everything I need to file except my annual statement from my mortgage company, which after my W-2 is the most important item I need.

  10. Randy B.

    Despite my having taken Brian’s recommended precautions years ago I had someone file taxes using my SSN last year…. 7 times. In each case the filing was done via web filing, either the IRS site or TurboTax online, both of which have the facility to flag and deny future filing via the web. The IRS also went so far as to flag my account to only recieve a paper filing with supporting identity evidence included. So this is how I must file for the next 5 years….

    Thanks, Brian, for continuing to ring the bell and make people aware of the sorted scams out there.

  11. Fred

    To help prevent data being used after being stolen

    All data should be tagged with a UID, part company id part unique code.

    All data processors are required to verify this UID before using the data in anyway from verified sources.

    Data stolen could be identified who lost the data as long as the UID isn’t stripped off. If the UID is stripped off then the data is effectively useless, as it could never be processed, apart from blackmail perhaps if it is sensitive.

  12. Sakma

    Thats why usa is called land of milk and honey.
    Thats why many eastern europeans want to go to usa.
    But not everyone cant go there u need visa.
    But usa have alot opportunities.
    Now even uneducated people can earn solid money

    1. Jon snow

      From former soviet russia, tax returns get filed FOR YOU

  13. Jay

    “in the process of informing its clients” = We were just going to stay quiet about it, but now that we’re getting phone calls from a journalist, I guess we’ll have to own up.

  14. Willie

    I would suggest that IRS return to allowing only PTIN holders to Efile returns. That would severely curtail some of the fraudulent filing. IRS would then be able to identify which PTIN holder Efiled returns.

  15. Jim

    Actually the ssid is the best identifier. By law it is an annicillary identification to be used with a picture ID. It cannot be used alone, if used without a picture, it’s not an ID, next I’m expecting them to have a thumbprint on them.

    1. Nick Gerteisen

      Thats not a great idea…you cannot change your thumbprint in the event of the breach of thumbprint characteristics…

  16. Hyu

    People people people????
    Stop this bla bla blaaa
    Syztem is not for halping average joe.
    But to just screw the a sss of joe.
    Naive people here. But what u can do about it??
    7 u cant do nothimg really.
    Just Bee On bee behave. And thats it.

    1. SeymourB

      Which brings me to my next point… don’t smoke crack.

  17. Sally

    Filing as soon as possible is great in theory but many of us can’t do that until we get all of information–why, in this day and age, does it take a bank or brokerage firm (or state for a 1099g), over a month to get a form to us?

    1. Algorythm

      In the HR departments I’ve supported the process of getting the W-2’s out by Jan 31st has been at least twice been a down to the last second all hands emergency. In both those occasions it was the process of applying software patches to support new regulations taking effect that caused a great flurry of feathers as the usually lowest bidder system software went kerthunk. Waking those systems back up, and duct taping the feathers back on took the rest of the month…

  18. George

    This is what happens when the IRS is used as a massive political and social welfare engineering and distribution system. There has to be other ways in getting the same purposes accomplished.

  19. Jay

    My company has received tons of e-mails this year that were supposedly from senior executives asking for w-2 files on associates. First time we have seen this. Luckily we found no records going out the door, but they don’t have to hack into your system if someone is simply e-mailing them out.

  20. Andrew

    Great post as always

    Not that there’s significant exposure for victims with the information, but the blurring method used on the first 3 of the socials in the screen cap still leave the majority of the numbers legible. For when obscuring more sensitive data in the future …

  21. Travis

    Hi Brian,
    Thank you for the great work!
    I just thought you’d like to know that the IRS is officially listing you as the top resources int their Reply email when you submit samples to phishing@irs.gov.
    (See below under Resources: in the reply I received when reporting a recent W-2 Phishing attempt)

    *******************************************
    Thank you for your email.

    This is a business email compromise or BEC scam.

    We would encourage you to file a complaint with IC3 related to the emails you received:

    https://www.ic3.gov/complaint/default.aspx

    Individual victims of this scam should visit:

    https://www.identitytheft.gov

    It would greatly help our investigation if you could resend the email that you received along with the email header unless you have already done so.

    The contents of the email header are crucial to our being able to investigate potential fraudulent activity.

    To obtain the email header please follow the instructions found here:

    http://mxtoolbox.com/Public/Content/EmailHeaders/

    Please send the email along with the email header to us at submits@ofdp.irs.gov.

    Resources:

    http://krebsonsecurity.com/tag/business-email-compromise/
    http://www.ic3.gov/media/2015/150827-1.aspx
    https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise
    https://www.irs.gov/uac/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others

    Regards,

    phishing@irs.gov
    Online Fraud Detection and Prevention (OFDP) Internal Revenue Service United States Department of the Treasury

    *******************************************

  22. Dustin DeTorres

    This is something I needed. Someone requested me w-2 files. Basically there is no security at all? I doesn’t matter if I email them.

    1. Andrew

      Ideally your firm has Data Loss Prevention for outbound email filtering to bounce back emails with W-2 forms present, particularly if sending to external parties.

      But if you’re a Mom & Pop shop the technology is often out of reach. And management can be cumbersome enough that many household names don’t do this well, if at all.

  23. Mark Evans

    Brian

    I think the idea of freezing one’s credit is a good one and I did give it a try. What I found objectionable was the $29.99/month fee they wanted to charge me to freeze just 3 of the 4 credit reporting agencies. I also thought the signup process was a real slippery slope. They started out saying that you’d pay something like $9.99 for one agency and then, without mentioning cost, present a button that said something like “hey why not freeze all 3 agencies.” That’s how the cost went through the roof. All in all a real slimy sales process. Getting the service discontinued was like trying to rid oneself of a cable TV provider. Lots of transfers to the boss and then their boss etc.

    Did I blow it and miss the “freeze your credit for free” button?

  24. chris

    you mentioned that all the data leaks seem to come from Florida, can we assume that there is some sort of vulnerability in that region that can be effecting why more dumps come from there?

Comments are closed.