Financial Scams Circulate as U.S. Tax Season Nears End

Key Findings

• As the end of the U.S. tax season nears, ZeroFox Intelligence has observed an increase in tax fraud-related activity taking place in the deep and dark web (DDW).

• On March 9, 2024, a Russian-speaking threat actor posted in DDW forum xss, claiming they are able to supply two types of completed, illegitimate Internal Revenue Service (IRS) tax documents.

• Activity of this nature is very likely to increase in frequency over the coming weeks, with threat actors continuing to evolve their techniques, tactics, and procedures (TTPs) to most effectively leverage illicitly-obtained personally identifiable information (PII) that is relatively cheap and easily acquired in DDW forums. 

Details

As the end of the U.S. tax season nears, ZeroFox Intelligence has observed an increase in tax fraud-related activity taking place in the DDW, as threat actors seek to acquire and leverage illicitly-obtained information to conduct various scams. 

On March 9, 2024, a highly-regarded Russian-speaking threat actor known as “MagaClub” posted in DDW forum xss, claiming they are able to supply two types of illegitimate IRS tax documents—the U.S. Individual Income Tax Return (1040) and the Wage and Tax Statement (W2)—for a cost of USD 20 per form. The actor claimed to also be selling completed credit reports with scores over 700 (considered high) for USD 30 each. The tax documents and the credit reports are sold fully populated with illicitly obtained PII and use the forum’s escrow service.

• It is very likely that the forms sold by MagaClub are purchased primarily by malicious actors intending to file fraudulent tax returns in the name of the victim. 
• The forms are very likely populated with PII from previous financial years. This information is likely obtained through data breaches implicating the IRS or one of the many third-party accountancy firms reportedly used by up to a quarter of U.S. citizens to assist in preparing and filing tax returns. These forms are then submitted for the 2023 tax year in the hope that the PII contained within remains valid and extant. 
• There is also a roughly even chance that MagaClub is able to procure completed forms via an ongoing intentional or unintentional data leak, such as an insider, given their claims of a “continuous supply.”
• ZeroFox Intelligence is unable to confirm the proportion of scams such as these that lead to the payout of fraudulent tax returns, though their popularity within DDW forums in the weeks approaching April 15 indicate that a significant number of cyber threat actors consider it lucrative.

Threat actors are likely able to obtain tax return deposits by directly leveraging cryptocurrency exchange platforms, including via some third-party tax assistance software programs reportedly used by up to 50 percent of U.S. citizens. These can enable threat actors to withdraw the currency with higher degrees of anonymity.

As well as tax return fraud, stolen PII is leveraged to conduct various other malicious tax-related schemes. Some of examples of these scams include:

• Threat actors use stolen PII to conduct phishing and spear-phishing campaigns, often masquerading as representatives of the IRS. These attacks are intended to trick the victim into providing personal details such as banking or Identity Protection PIN (IP PIN) information that can aid in further attacks. Malicious links can also be used to direct the victim to fake web pages that are able to deliver malware and harvest credentials.
• Threat actors attempt to collect false tax debt, using stolen PII to increase authenticity while imitating employees of either the IRS or an external debt collection agency. These attacks often leverage several social engineering techniques to encourage the victim’s cooperation.
• Fake IRS letters claim that additional PII is needed in order to process an unclaimed tax refund. However, the information provided by the victim assists the threat actor in submitting fraudulent tax returns. 

Activity of this nature is very likely to increase in frequency over the coming weeks, with threat actors continuing to evolve their TTPs to most effectively leverage illicitly-obtained PII that is relatively cheap and easily acquired in DDW forums. Social engineering is likely to play an increasingly more important role in granting threat actors the advantage needed to mitigate or circumvent contemporary IRS security features and claim fraudulent tax refunds.

ZeroFox Intelligence Recommendations

• Individuals with a Social Security Administration (SSA) or an Individual Taxpayer Identification number (ITIN) should register annually for an IP PIN, using the following address:
  • hXXps://www.irs[.]gov/identity-theft-fraud-scams/get-an-identity-protection-pin
• Being implicated in a data breach could be the first step toward PII being leveraged to conduct tax fraud. In such a case, the individual should consider placing a “Fraud Alert” on their credit file.
• Suspected scamming or identity theft activity should be reported using [.]gov tools found here:
  • hXXps://www.usa[.]gov/where-report-scams
  • hXXps://www.identitytheft[.]gov/#/
  • hXXps://www.irs[.]gov/pub/irs-pdf/f14039.pdf
• Individuals should scrutinize correspondence purporting to be from the IRS, particularly if received via unusual communication channels or if found to contain spelling or grammatical errors. If in doubt, further personal information should not be disclosed.
• Individuals using third-party tax return preparation services should ensure that documentation is appropriately signed upon completion.
• Organizations and individuals should ensure passwords are secure, unique credentials are used and phishing-resistant multi-factor authentication is implemented.