Krebs on Security

The Rise in State Tax Refund Fraud

February 17, 2015

Intuit: Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings

Scam artists stole billions of dollars last year from the U.S. Treasury by filing phony federal tax refund requests on millions of Americans. But as Uncle Sam has made this type of fraud harder for thieves to profit from, the crooks have massively shifted their focus to conducting refund fraud at the state level. Or at least according to Intuit Inc., the makers of TurboTax: The company says it believes that shift is responsible for a whopping 3700 percent increase in fraudulent state tax refund filings this year in some states.

File ’em Before the Bad Guys Can

Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike. To learn more about the run-up to this extraordinary step and other tax fraud trends this year, I talked with Indu Kodukula, chief information security officer at Intuit.

Kodukula explained that in years past the dominant form of tax return scams the company has dealt with stemmed from phony federal tax refund requests. But this tax season, things changed dramatically.

“The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”

The data released by the Treasury Inspector General for Tax Administration (TIGTA), which oversees the work of the IRS, suggests the IRS does indeed appear to have improved at flagging and ultimately denying fraudulent federal tax returns. In an interim report on the 2014 tax filing season, TIGTA said the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft.

THE ROLE OF UNLINKED RETURNS

Kodukula said tax fraudsters have evolved in response to increased information sharing by the IRS with state revenue departments about phony tax returns received at the federal level. He described a process that began about three years ago, when Intuit and TurboTax received express permission from the IRS to share information about suspected bogus tax refund requests.

“It has been our understanding that this information is in turn being shared with [state treasury departments], Kodukula said. “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”

States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.

Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.

“It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”

ACCOUNT TAKEOVERS FUELED BY PASSWORD RE-USE

Not only have the fraudsters shifted from attacking the IRS to robbing state coffers, but the methods they use to steal taxpayer data also are evolving. Kodukula explained that traditionally most of the bogus refund requests were the result of what the company calls “stolen identity refund fraud” or SIRF. In SIRF scams, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

But Kodukula said that over the past 18 months, Intuit has watched fraudsters shift from SIRF to account takeovers, wherein scammers compromise TurboTax credentials by exploiting human nature: The tendency for people to re-use passwords across multiple sites. This technique works because a fair percentage of users re-use passwords at multiple sites. When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work. Continue reading →

‘Spam Nation’ Wins PROSE Award

February 17, 2015

27 Comments

I am pleased to announce that my new book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door, has been honored with a 2015 PROSE Award in the Media & Cultural Studies category.

The PROSE Awards are given by the Professional and Scholarly Publishing Division of the Association of American Publishers.

From the AAP’s site: “The awards annually recognize the very best in professional and scholarly publishing by bringing attention to distinguished books, journals, and electronic content in over 40 categories. Judged by peer publishers, librarians, and medical professionals since 1976, the PROSE Awards are extraordinary for their breadth and depth.”

I am grateful to the AAP for this honor. According to the AAP, the 2015 PROSE Awards received a record-breaking 540 entries this year – more than ever before in their 39-year history – from more than 70 publishers around the world. ” Other 2015 PROSE Awards winners are listed at this page.

The Great Bank Heist, or Death by 1,000 Cuts?

February 16, 2015

88 Comments

I received a number of media requests and emails from readers over the weekend to comment on a front-page New York Times story about an organized gang of cybercriminals pulling off “one of the largest bank heists ever.” Turns out, I reported on this gang’s activities in December 2014, although my story ran minus many of the superlatives in the Times piece.

The Times’ story, “Bank Hackers Steal Millions Via Malware,” looks at the activities of an Eastern European cybercrime group that Russian security firm Kaspersky Lab calls the “Carbanak” gang. According to Kaspersky, this group deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million — possibly as high as USD $1 billion.

Image: Kaspersky

Such jaw-dropping numbers were missing from a story I wrote in December 2014 about this same outfit, Gang Hacked ATMs From Inside Banks. That piece was based on similar research published (PDF) jointly by Dutch security firm Fox-IT and by Group-IB, a Russian computer forensics company. Fox-IT and Group-IB called the crime group “Anunak,” and described how the crooks sent malware laced Microsoft Office attachments in spear phishing attacks to compromise specific users inside targeted banks.

“Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards,” my December 2014 story observed. “But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.”

I also noted that a source told me this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

Andy Chandler, Fox-IT’s general manager and senior vice president, said the group profiled in its December report and in the Kaspersky study are the same.

“Anunak or Carbanak are the same,” Chandler said. “We continue to track this organization but there are no major revelations since December. So far in 2015, the financial industry have been kept busy by other more creative criminal groups,” such as those responsible for spreading the Dyre and Dridex banking malware, he said. Continue reading →

Fuel Station Skimmers: Primed at the Pump

February 13, 2015

68 Comments

I recall the first time I encountered an armed security guard at a local store. I remember feeling a bit concerned about the safety of the place because I made a snap (and correct) assumption that it must have been robbed recently. I get a similar feeling each time I fuel up my car at a filling station and notice the pump and credit card reader festooned with security tape that conjures up images of police tape around a crime scene.

The security tape wrapped around this card reader at a Kangaroo station is intended to communicate that the credit card reader hasn’t been altered.

It’s nice to know I’m not the only one who feels this way. A reader named Tyler recently shared the above image, along with his experience.

“I had my first encounter with tape across a gas station’s card reader the other day,” Tyler said. “I must say it led me to believe there was some sort of skimming device installed, as I have never seen this before. Further inspection showed it was actually a real attempt by the gas station to let consumers know if the device has been tampered with.”

Of course, if you merely need to re-affix the tape to something else, that’s not a high technical hurdle.

Tyler wanted to know what would prevent a scammer from simply removing the tape from one reader and placing it back on top of a compromised reader? Or, since most people probably wouldn’t know to look for the presence of tape around the card reader, how about just placing the skimming device right on top? I wondered that as well.

The tape carries the bold yet misguided assurance, “securing your identity.” However, I’m guessing this security device is primarily meant to serve as a signal to gas station attendants when and if someone has monkeyed with a pump card reader.

The tape on the reader is intended to protect against pump reader skimmers, like the one pictured below, which sells in underground forums for upwards of USD $2,000 and is designed to be fit directly over top of the readers they have at many ESSO/Exxon fuel pumps.

The seller of a gas pump card skimmer shows off his wares, which he sells for more than $2,000.

Continue reading →

Defense Contract Management Agency Probes Hack

February 10, 2015

40 Comments

The Defense Contract Management Agency, the U.S. federal government entity responsible for performing contract administration services for the Department of Defense, is responding to a suspected cybersecurity breach and has pulled a number of its servers offline while the investigation continues, KrebsOnSecurity has learned.

The public Web site for the DCMA has been offline for nearly two weeks.

A notice posted to the DCMA’s home page communicates little about the investigation, other than to note that “corrective action is in progress,” and that “work is being done to restore service as quickly as possible.”

Contacted about the outage, DCMA spokesman David Wray said suspicious activity was detected on a DCMA public-facing server January 28, resulting in an ongoing investigation.

“So far, no DCMA, DoD or Defense Industrial Base data nor any Personal Identification Information has been breached. A cyber protection team from Joint Forces Headquarters, Department of Defense Information Network, is working with DCMA to enhance network security. DCMA’s website has been intentionally taken offline while the team investigates the activity. All other network operations have proceeded as normal.” Continue reading →

Microsoft Pushes Patches for Dozens of Flaws

February 10, 2015

60 Comments

Microsoft today released nine update bundles to plug at least 55 distinct security vulnerabilities in its Windows operating system and other software. Three of the patches fix bugs in Windows that Microsoft considers “critical,” meaning they can be exploited remotely to compromise vulnerable systems with little or no help from users, save for perhaps clicking a link or visiting a hostile Web site.

The bulk of the flaws (41) addressed in this update apply to Internet Explorer, the default browser on Windows. This patch should obviously be a priority for any organizations that rely on IE. Other patches fix bugs in the Windows OS itself and in various versions of Microsoft Office. A full breakdown of the patches is available here.

Among the more interesting critical patches is a fix for a vulnerability in Microsoft Group Policy that could present unique threats for enterprises that rely on Active Directory, the default authentication mechanism on corporate Windows networks. The vulnerability is remotely exploitable and can be used to grant attackers administrator-level privileges on the targeted machine or device – that means 10s of millions of PCS, kiosks and other devices, if left untreated.

Several readers who’ve already applied these updates report that doing so may require multiple restarts of Windows. Patches are available via Windows Update, the patching mechanism built into all recent and supported versions of Windows. For more granular information about these patches, check out this blog post by Qualys as well as the always-useful roundup at the SANS Internet Storm Center.

As always, if you experience any issues applying these patches or after applying them, please leave a note in the comments section below describing your experience.

Anthem Breach May Have Started in April 2014

February 9, 2015

56 Comments

Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion.

The Wall Street Journal reported last week that security experts involved in the ongoing forensics investigation into the breach say the servers and attack tools used in the attack on Anthem bear the hallmark of a state-sponsored Chinese cyber espionage group known by a number of names, including “Deep Panda,” “Axiom,” Group 72,” and the “Shell_Crew,” to name but a few.

Deep Panda is the name given to this group by security firm CrowdStrike. In November 2014, Crowdstrike published a snapshot of a graphic showing the malware and malicious Internet servers used in what security experts at PriceWaterhouseCoopers dubbed the ScanBox Framework, a suite of tools that have been used to launch a number of cyber espionage attacks.

A Maltego transform published by CrowdStrike. The graphic is intended to illustrate some tools and Internet servers thought to be closely tied to a Chinese cyber espionage group that CrowdStrike calls “Deep Panda.”

Crowdstrike’s snapshot (produced with the visualization tool Maltego) lists many of the tools the company has come to associate with activity linked to Deep Panda, including a password stealing Trojan horse program called Derusbi, and an Internet address — 198[dot]200[dot]45[dot]112.

CrowdStrike’s image curiously redacts the resource tied to that Internet address (note the black box in the image above), but a variety of open source records indicate that this particular address was until very recently the home for a very interesting domain: we11point.com. The third and fourth characters in that domain name are the numeral one, but it appears that whoever registered the domain was attempting to make it look like “Wellpoint,” the former name of Anthem before the company changed its corporate name in late 2014.

We11point[dot]com was registered on April 21, 2014 to a bulk domain registration service in China. Eight minutes later, someone changed the site’s registration records to remove any trace of a connection to China.

Intrigued by the fake Wellpoint domains, Rich Barger, chief information officer for Arlington, Va. security firm ThreatConnect Inc., dug deeper into so-called “passive DNS” records — historic records of the mapping between numeric Internet addresses and domain names. That digging revealed a host of other subdomains tied to the suspicious we11point[dot]com site. In the process, Barger discovered that these subdomains — including myhr.we11point[dot]com, and hrsolutions.we11point[dot]com – mimicked components of Wellpoint’s actual network as it existed in April 2014.

“We were able to verify that the evil we11point infrastructure is constructed to masquerade as legitimate Wellpoint infrastructure,” Barger said.

Another fishy subdomain that Barger discovered was extcitrix.we11point[dot]com. The “citrix” portion of that domain likely refers to Citrix, a software tool that many large corporations commonly use to allow employees remote access to internal networks over a virtual private network (VPN).

Interestingly, that extcitrix.we11point[dot]com domain, first put online on April 22, 2014, was referenced in a malware scan from a malicious file that someone uploaded to malware scanning service Virustotal.com. According to the writeup on that malware, it appears to be a backdoor program masquerading as Citrix VPN software. The malware is digitally signed with a certificate issued to an organization called DTOPTOOLZ Co. According to CrowdStrike and other security firms, that digital signature is the calling card of the Deep Panda Chinese espionage group. Continue reading →

Phishers Pounce on Anthem Breach

February 7, 2015

63 Comments

Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers.

The flood of phishing scams was unleashed just hours after Anthem announced publicly that a “very sophisticated cyberattack” on its systems had compromised the Social Security information and other personal details on some 80 million Americans.

In a question on its FAQ page about whether it would be offering credit monitoring to affected customers, “Anthem said All impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.” Unsurprisingly, phishers took that as an invitation to blast out variations on the scam pictured below, which spoofs Anthem and offers recipients a free year’s worth of credit monitoring services for those who click the embedded link.

Don’t click or respond to these phishing emails.

According to Anthem, fraudsters also are busy perpetrating similar scams by cold-calling people via telephone. In a recording posted to its toll-free hotline for this breach (877-263-7995), Anthem said it is aware of outbound call scams targeting current and former Anthem members.

“These emails and calls are not from anthem and no notifications have been sent from anthem since the initial notification on Feb. 4, 2015,” Anthem said in a voice recording on the hotline.

It is likely that these phishing and phone scams are random and opportunistic, but there is always the possibility that the data stolen from Anthem has fallen into the hands of scam artists. According to Anthem, the information stolen includes the consumer’s name, date of birth, member ID, street address, email address, phone number and employment information. However, experts believe that the attack on Anthem was perpetrated by state-sponsored hackers from China seeking information on specific individuals for espionage purposes, although that conclusion has not been independently confirmed.

The company says it will begin sending notifications to affected consumers via snail mail in the coming weeks. In the meantime, if you’re a current or former Anthem member, be aware that these types of scams are likely to escalate in the coming days and weeks.

Update, Feb. 9, 6:15 p.m. ET: In a somewhat farcical turn of events, it appears that the image above is actually from a phishing education campaign created by a company that helps firms impress upon their employees the importance of cybersecurity. The image above, when clicked, brings users to this page, which warns visitors they’ve clicked on a link design to test awareness. That page is run by Knowbe4, whose CEO Stu Sjouwerman said in response to an inquiry that the image was likely forwarded to Anthem by a cautious employee of one of Knowbe4’s customers who received the phishing test but did not click the link. Full disclosure: Knowbe4 is an advertiser on this blog.

Citing Tax Fraud Spike, TurboTax Suspends State E-Filings

February 6, 2015

78 Comments

TurboTax owner Intuit Inc. said Thursday that it is temporarily suspending the transmission of state e-filed tax returns in response to a surge in complaints from consumers who logged into their TurboTax accounts only to find crooks had already claimed a refund in their name.

“During this tax season, Intuit and some states have seen an increase in suspicious filings and attempts by criminals to use stolen identity information to file fraudulent state tax returns and claim tax refunds,” the company said in a statement.

Intuit said a third-party security audit turned up no signs of a security breach with the company, and that the information used to file fraudulent returns appears to have been obtained from other sources outside the tax preparation process.

“As it worked with state governments to assess and resolve the recent issues, Intuit took the precautionary step Thursday, Feb. 5, of temporarily pausing its transmission of state e-filing tax returns,” the company’s statement continued.

“Intuit will be working with the states today to begin turning transmissions back on. Customers who have already filed their state tax returns using Intuit software during this temporary pause will have their returns transmitted as soon as possible. They do not need to take further action at this time. This action does not affect the filing of federal income tax returns, and is limited to those states that require residents to file returns.”

This is hardly a new problem, but I have no doubt we are seeing even more phony tax refund claims than last year (in which my own taxes were filed fraudulently). Cyber thieves have long sought stolen credentials for hijacked tax preparation accounts at TurboTax, H&R Block and related services. Typically, the usernames and passwords for consumer accounts at these services are obtained via password-stealing malware that infects end-user PCs (see my Value of a Hacked PC graphic for more such examples.)

Victims also can see their tax accounts hijacked if crooks assume control over their inboxes as well, since tax preparation services — like most sites — allow users to reset their passwords by requesting a password reset link via email (see my Value of a Hacked Email Account graphic for additional examples like this). And of course phishers frequently impersonate tax preparation firms in a bid to steal credentials.

Stolen TurboTax or H&R Block credentials are cheaper and more plentiful than most people probably would imagine. According to the below-pictured well-known seller on the Dark Web forum Evolution Market, hacked accounts currently can be had for .0002 bitcoins, which works out to about 4 cents apiece.

A seller of hacked accounts on the Dark Web community Evolution Market sells hacked TurboTax and H&R Block accounts for pennies apiece.

Continue reading →

China To Blame in Anthem Hack?

February 6, 2015

79 Comments

Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.

According to this story from Bloomberg’s Michael Riley and Jordan Robertson, “the attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group — defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.”

While the story is light on details, it adds a bit more context to an FBI “flash alert” that KrebsOnSecurity obtained independently last week. The alert said the FBI has received information regarding a group of cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”

The alert notes that analysis of malware samples used in the attack indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China. The FBI said the tools used in the attack were referenced in open source reports on Deep Panda, a claim that also shows up in the Bloomberg piece. That story references data about Deep Panda from cybersecurity firm CrowdStrike, which specializes in attributing nation state-level attacks.

According to the FBI, Deep Panda has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks. While it may be unrelated, it’s worth noting that in the past two weeks alone, Adobe has shipped no fewer than three unscheduled, emergency updates to address Flash Player vulnerabilities that were being exploited in active attacks at the time Adobe released patches.

The FBI’s flash advisory continues:

“Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by this group. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.”

In its own writeup on Deep Panda from mid-2014, CrowdStrike notes that “for almost three years now, CrowdStrike has monitored DEEP PANDA targeting critical and strategic business verticals including: government, defense, financial, legal, and the telecommunications industries. At the think tanks, [we have] detected targeting of senior individuals involved in geopolitical policy issues, in particular in the China/Asia Pacific region. DEEP PANDA presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies.” Continue reading →

Last »