States: Spike in Tax Fraud Against Doctors

April 22, 2014

An unusual number of physicians in several U.S. states are just finding out that they’ve been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians.

taxfraudScott Colby, executive vice president of the New Hampshire Medical Society, said he started hearing from physicians in his state about a week ago, when doctors who were just filing their tax returns began receiving notices from the Internal Revenue Service that someone had already filed their taxes and claimed a large refund.

So far, Colby has heard from 111 doctors, physician assistants and nurse practitioners in New Hampshire who have been victims of tax fraud this year.

“I’ve been here four years and this is the first time this issue has come across my desk,” Colby said.

In this increasingly common crime, thieves steal or purchase Social Security numbers and other data on consumers, and then electronically file fraudulent tax returns claiming a large refund. The thieves instruct the IRS to send the refund to a bank account that is tied to a prepaid debit card, which the fraudster can then use to withdraw cash at an ATM (for more on how this works, see last week’s story, Crimeware Helps File Fraudulent Tax Returns).

Unlike the scam I wrote about last week — which involved the theft of credentials to third-party payroll and HR providers that are then used to pull W2 records and file bogus tax returns on all company employees — the tax fraud being perpetrated against the physicians Colby is tracking is more selective.

“We’ve done a broadcast to all of the hospital systems in the state, and I have yet to receive one [victim] name from a non-clinician,” Colby said. “And you would think if it was an HR or payroll issue that at least a couple of administrative, non-clinical folks would have been in the mix, but that is not the case.”

AN EPIDEMIC OF TAX FRAUD?

Colby said he’s heard similar reports from other states, including Arizona, Connecticut, Indiana, Maine, Michigan, North Carolina and Vermont.

Elaine Ellis Stone, director of communications at the North Carolina Medical Society, said her organization has been contacted by more than 100 individual doctors and medical practice managers complaining about tax fraud committed in the names of their doctors and other medical staff. Continue reading

Advertisement

An Allegation of Harm

April 21, 2014

In December 2013, an executive from big-three credit reporting bureau Experian told Congress that the company was not aware of any consumers who had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. This blog post examines the harm allegedly caused to consumers by just one of the 1,300 customers of that ID theft service — an Ohio man the government claims used the data to file fraudulent tax returns on dozens of Americans last year.

Defendant Lance Ealy.

Defendant Lance Ealy.

In February, I was contacted via Facebook by 28-year-old Lance Ealy from Dayton, Ohio. Mr. Ealy said he needed to speak with me about the article I wrote in October 2013 — Experian Sold Consumer Data to ID Theft Service. Ealy told me he’d been arrested by the U.S. Secret Service on Nov. 25, 2013 for allegedly using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by guy named Hieu Minh Ngo.

“I really need to speak with u about this case because the US attorney assigned to this case and the Secret Service agent are trying to cover up Experian involvement in this case,” Ealy said, without elaborating on his theory about the alleged cover-up.

Ngo is a Vietnamese national who for several years ran an online identity theft service called Superget.info. Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to findget.me. The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty earlier this year to running the ID theft service, and the government has been working on rounding up his customers ever since.

Mr. Ealy appears to be one of several individuals currently battling charges of identity theft after allegedly buying data from Ngo’s service, which relied in part on data obtained through a company owned by Experian.

According to the complaint (PDF) against Ealy, government investigators obtained a search warrant for Ngo’s email account in March 2013. Going through that email, investigators found that a customer of Ngo’s who used the address lanceealy123@yahoo.com had already purchased from Ngo some 363 “fullz” — a term used in the underground to describe a package of everything one would need to steal someone’s identity, including their Social Security number, mother’s maiden name, birth date, address, phone number, email address, bank account information and passwords.

The Justice Department alleges that between Jan. 28, 2013 and Oct. 17, 2013, Ealy filed at least 150 fraudulent tax returns on Americans, instructing the IRS to send the refund money to prepaid credit card accounts he controlled. The government claims that about 50 of those bogus claims were made with Social Security numbers and other data obtained from Ngo’s ID theft service. Continue reading

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

April 17, 2014

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.” Continue reading

Critical Java Update Plugs 37 Security Holes

April 16, 2014

Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system. Continue reading

Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

April 15, 2014

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time. Continue reading

Crimeware Helps File Fraudulent Tax Returns

April 14, 2014

Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The "drops" page of this tax  fraud operation lists the nicknames of the co-conspirators who agreed to "cash out" funds on the prepaid cards generated by the bogus returns -- minus a small commission.

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.” Continue reading

Heartbleed Bug: What Can You Do?

April 10, 2014

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable: Continue reading

Adobe, Microsoft Push Critical Fixes

April 8, 2014

Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP.

crackedwinTwo of the four patches that Microsoft issued come with Redmond’s “critical” rating (its most severe), meaning attackers or malware can exploit the flaws to break into vulnerable systems without any help from users. One of the critical patches is a cumulative update for Internet Explorer (MS14-018); the other addresses serious issues with Microsoft Word and Office Web apps (MS14-017), including a fix for a zero-day vulnerability that is already being actively exploited. More information on these and other patches are available here.

As expected, Microsoft also used today’s patch release to pitch XP users on upgrading to a newer version of Windows, warning that attackers will begin to zero in on XP users even more now that Microsoft will no longer be issuing security updates for the 13-year-old operating system. From Microsoft’s Technet blog: Continue reading

‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

April 8, 2014

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

Credit: Heartbleed.com

Credit: Heartbleed.com

From Heartbleed.com:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].

It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL – OpenSSL 1.0.1g — as quickly as possible.

Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert). For more on what you can do you to protect yourself from this vulnerability, see this post.