March 17, 2017

Just a friendly reminder that phishing scams which spoof the boss and request W-2 tax data on employees are intensifying as tax time nears. The latest victim shows that even cybersecurity experts can fall prey to these increasingly sophisticated attacks.

athookOn Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Alexandria, Va.-based Defense Point Security (recently acquired by management consulting giant Accenture) informed current and former employees this week via email that all of the data from their annual W-2 tax forms — including name, Social Security Number, address, compensation, tax withholding amounts — were snared by a targeted spear phishing email.

“I want to alert you that a Defense Point Security (DPS) team member was the victim of a targeted spear phishing email that resulted in the external release of IRS W-2 Forms for individuals who DPS employed in 2016,” Defense Point CEO George McKenzie wrote in the email alert to employees. “Unfortunately, your W-2 was among those released outside of DPS.”

W-2 scams start with spear phishing emails usually directed at finance and HR personnel. The scam emails will spoof a request from the organization’s CEO (or someone similarly high up in the organization) and request all employee W-2 forms.

Defense Point did not return calls or emails seeking comment. An Accenture spokesperson issued the following brief statement:  “Data protection and our employees are top priorities. Our leadership and security team are providing support to all impacted employees.”

The email that went out to Defense Point employees Thursday does not detail when this incident occurred, to whom the information was sent, or how many employees were impacted. But a review of information about the company on LinkedIn suggests the breach letter likely was sent to around 200 to 300 employees nationwide (if we count past employees also).

Among Defense Point’s more sensitive projects is the U.S. Immigration and Customs Enforcement (ICE) Security Operations Center (SOC) based out of Phoenix, Ariz. That SOC handles cyber incident response, vulnerability mitigation, incident handling and cybersecurity policy enforcement for the agency.

Fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Scammers in tax years past also have massively phished online payroll management account credentials used by corporate HR professionals. This year, they are going after people who run tax preparation firms, and W-2’s are now being openly sold in underground cybercrime stores.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

ANALYSIS

I find it interesting that a company which obviously handles extremely sensitive data on a regular basis and one that manages a highly politicized government agency would not anticipate such attacks and deploy some kind of data-loss prevention (DLP) technology to stop sensitive information from leaving their networks.

Thanks to their mandate as an agency, ICE is likely a high risk target for hacktivists and nation-state hackers. This was not a breach in which data was exfiltrated through stealthy means; the tax data was sent by an employee openly through email. This suggests that either there were no DLP technical controls active in their email environment, or they were inadequately configured to prevent information in SSN format from leaving the network.

This incident also suggests that perhaps Defense Point does not train their employees adequately in information security, and yet they are trusted to maintain the security environment for a major government agency. This from a company that sells cybersecurity education and training as a service to others.

DON’T BE THE NEXT VICTIM

While there isn’t a great deal you can do to stop someone at your employer from falling for one of these W-2 phishing scams, here are some steps you can take to make it less likely that you will be the next victim of tax refund fraud:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

Consider placing a “security freeze” on one’s credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. While it’s true that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.


92 thoughts on “Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam

  1. pr

    Heads really need to roll over this. If someone gives away information like this he needs to be fired, his supervisor needs to be fired, and the head of IT security needs to be fired. It needs to be an established and well-known policy within the organization.

    A lot of these stories are along the lines of someone calls up pretending to be the CEO demanding information NOW! IF YOU DON”T DO IT NOW YOUR SUPERVISOR IS GOING TO HEAR ABOUT IT! So it puts people in a dilemma, causing them to override normal caution. But if everyone knows that their supervisor is going to be even more angry if they give away information incorrectly it will give the grunt workers a firewall, something to break the slide to incorrect behavior.

    There also needs to be practice in saying no. Where I work we’ve had two “phishing drills” in the last two years. We got a very realistic-looking message, instructing us to enter our passwords in a certain web site. Well, it turns out that it was a fake phishing message, sent out by institutional IT. There are always failures, and as far as I know there haven’t been any consequences for getting suckered, but it keeps everyone on their toes.

    1. Happy Scrappy

      The ones in the top tier at the link below on the Defense Point Security Site reportedly own the company so they can’t be fired. It’s sad because they should know better, however, they do not know better. In their defense (no pun intended), they just bilk the government out of millions running a sloppy company and then cash out to Accenture. In their own way, they are clever.
      https://defensepointsecurity.com/corporate-info/corporate-bios
      However, who would you, pr, pick to kick to the curb of that rag-tag, motley crew?

      1. TheWerks

        “However, who would you, pr, pick to kick to the curb of that rag-tag, motley crew?”

        I dunno about pr, but if it were me I’d pick the numbskulls in the administration who think contracting all this stuff out is the most genius plan ever.

        Seems like that gets into trouble in a lot of areas, not least of all this one.

        1. pr

          This would never happen if all those involved were civil servants. (Cough!)

          Hiring contractors might not be the best approach to everything, but it has a lot of advantages. First off, the individuals involved can be fired. The contracting company can lose future business, or get their current contract canceled, or at least reduced.

          Imagine what would happen is some inside agency of the Federal Government were to have a similar breach. Oh, wait, you don’t have to imagine it, just say three little letters: OPM. Who, within OPM, suffered any consequences from that disaster?

          1. TheWerks

            Never said anything about Civil Servants, and whether or not it would be more or less likely to happen if they were.

            If the Government is the Customer, and the Contractor the provider, the rule is still caveat emptor.

            And I feel like that’s no followed when the customer has no clue what he’s buying and feels no responsibility for being knowledgeable about that product on anything more than a superficial level.

            “Just hire Contractor X, they’ll take care of everything!”

            I see it a lot in my line of work, and it’s repugnant.

    2. Anon

      “Heads really need to roll over this. If someone gives away information like this he needs to be fired, his supervisor needs to be fired, and the head of IT security needs to be fired. It needs to be an established and well-known policy within the organization. ”

      If you had it your way, a disgruntled employee could get everyone fired…

      Believe it or not, but the biggest violators of IT security policy, are upper management.

  2. Karl gruber

    @pr – “he needs to be fired, his supervisor needs to be fired, and the head of IT security needs to be fired”.

    Rather than firing everyone, I think a better approach would be to use this event as an education opportunity.

    You need to encourage your users to ask questions and report things. If your policy is to fire anyone who makes a mistake then your staff will develop a mindset of trying to hide mistakes, and and an us-vs-them mentality towards IT, or management in general.

    And how is it the team leader or infosec manager’s fault exactly?

    1. Catwhisperer

      We seem to be gathering more trolls, Brian. Keep up the good work, LOL…

      Karl’s idea is the correct response to failures in the system. If you fire everyone with experience, then the company would be left hiring noobs (at least with respect to the company architecture and protocols), and the state of said company would be worse than before. One learns from mistakes, even costly ones. Ignorance is excusable, stupidity is not…

      We have great examples of the “us-vs-them mentality” in the top echelons of government. Hopefully this company doesn’t learn the wrong lessons.

      1. Tweety Bird

        Putty cat, “Ignorance” is no excuse for breaking the law. Luv, Tweety

      2. Santa Claus

        The time for education was 5-10 years ago. If you hire morons they need to be trained. Lesson: don’t hire morons.

    2. Kind Regards Karl

      @Karl:
      https://defensepointsecurity.com/corporate-info/corporate-bios
      So if the dudes above aren’t to blame, who do you blame? They lost the W2s of government contract and they are in charge of securing networks of national security. What other blunders are they hiding? What happens to Target and Yahoo!’s people in charge of data? Don’t think too hard, it was exit stage left.

    3. Dennis Kavanaugh

      There is a simple test to see which of these two approaches works better: On one street corner, put a guy preaching the gospel. On the opposite corner, arrange a public hanging. You guess where the larger crowd will be.

  3. pablo

    we can blame on reptiles aliens from planet Mars.
    ahha

  4. Marcus

    @alco
    You are the best example for a Troll

    Even in EU und Scandinavia ( Belongs to EU) CEO Fraud and Phishing Happens.
    Suprise ,Suprise. Last year 65 Millionen siphoned out with CEO Scam in Combination with Spearphsing.
    Where did it happen ? Germany.

    32 Millionen in total loss due to Ransomware send as a Targeted Attack to Multiple HR Departments in Stock Top 100 Companies .

    Where did it happen : Across Europe.

    Greetings from Central Europe

    1. only

      Only in USA coz only in usa have Federal Reserve. They print as much they want

  5. Jamison

    Who invented that internet thing you’re using again?

  6. ColdAsICE

    Great so these guys sell out to a foreign acquirer and now more than likely the foreigners are in the network of the contracts they own. Waive that flag, waive it wide and high!

  7. management leadership training

    Hey,
    Thanks so much for sharing more information about these phishing scams! It is so crazy to think that even the government is susceptible to cyber attacks.
    Best,
    Dennis

    1. jacob.sciff

      Yea your own goverment will put you RFIed chip soon.
      lets see what u think about it then

  8. Jim

    Ah, err, these people can be fired, as in loose the contract. But then, as private citizens, I would rather had an accountable government employee, rather then a low cost contractor who not accountable been in charge. That way, someone would have had training in everything but what they had to do.

  9. Oren J. Falkowitz

    I don’t think calling phishing a scam, which implies a level of human negligence or even naivety, makes sense. Phishing is like a mirage in a desert, you can’t help but think it’s real.

    Over 95% of all data breaches begin with phishing and we usually like to deflect blame by calling them sophisticated. People are the vector for phishing attacks against companies and vigilance isn’t enough.

    Attackers actually cede the advantage when they phish, they open themselves to be preempted with the right technological approach.

  10. Oren J. Falkowitz

    I wouldn’t call phishing a scam, which implies a level of human negligence or even naivety. Phishing is like a mirage in a desert, you can’t help but think it’s real. It’s also effective. Over 95% of all data breaches begin with phishing.

    People are the vector for phishing attacks. Companies and organizations are the victims and vigilance isn’t enough.

    Preempting phishing is the advantage of network defenders and is only possible with technology.

  11. Paulie Walnuts

    Hey Defense Point Security, I’ll keep this short and sweet. You’re weak. You’re outta control. And you’ve become an embarrassment to yourself and everybody else. -Paulie

  12. Charles Sprickman

    I know those of us in the IT biz like to jump all over people that fall for this, but let’s be honest here, email sucks, and email clients suck. And apparently the firm’s phishing defenses are not “state of the art”. 🙂

    So many decades after email first arrived we still lack universal digital signatures or any other method to validate the sender. Spoofing is easy. HTML email makes it easy to hide extra payloads that non-tech folks won’t notice. And don’t get me started with all the email clients that go to great lengths to hide the email address behind a “friendly” name.

    If you wanted to design a communication system that makes phishing easy, you’d design exactly what we have today.

  13. Lu Jancik

    Hi, have you tried the CBPopper plugin? Google “cbpopper wordpress” for a description; It’s a WordPress plugin that automatically matches ClickBank products with your blogs content. Regards

  14. RedTeam Security

    I may have missed it in the article, but does anyone know if they were explicitly targeted or was this phishing campaign directed toward many HR dept. heads across many companies?

  15. Vader, Darth A.S.

    Hey, wow, its like super fun to pan a co. named ‘Defense Point Security’ for sucking at 2/3 of their name, but…

    you all know that DPS is a government contractor, right? They’re in the business of winning and exploit^u^u^u^u^uecuting government contracts, and they need to know exactly f*ck-all about security to do that … after all (as previously mentioned in the comments) the customer doesn’t know what its buying. DPS’ InfoSec talent – the victims – are all staffed at the customer site, 1000+ miles away.

    1. Vader, Darth A.S.

      pre-emptively: not defending DPS. defending the people they’ve placed at ICE. I know I’d hate it if my name were dragged through the mud like is being done here for some screw up at corporate. After all the news is DPS fell victim, not ICE….

Comments are closed.