Tax Fraud Up 6,000 Percent as W-2s Fill Darknet Markets

Internet scams are nothing new. Every time one scam gets outdated, the scammer move from one scam to the next. And while people may have learned that those emails never came from African prince and princesses, they started falling for new scams. IBM’s X-Force found a 6,000 percent increase in email fraud between December 2016 and January 2017.

The researchers, in a recently released report called Cybercrime Riding Tax Season Tides, outlined the type of data cybercriminals went for in the aforementioned timeframe. First, the number of emails masquerading as a tax form such as a W-2 increased by 6,000 percent. But second and arguably the more malicious of the two, came in the form of clickable links. These fraudulent emails asked or even implored the recipient to download a file or click a link. Both examples of email-initiated tax fraud increased at the same pace and nearly doubled every month since January.

X-Force security advisor Limor Kessem Spoke with SC Media on the topic:

“Most of the scams we observed in the report did exist last year, but what was particularly interesting this time around is the focus of criminals on businesses. In general terms, there are less criminals that have the skills to attack a business. This year, we are seeing that even the less technically inclined are intent on stealing data and money from businesses, and if they lack technical knowledge, they fill the gap by social engineering and going after the lower hanging fruit.”

Email scams and tax fraud, again, are not a new form of cybercrime. The entire event, after a victim falls for the scam, is history. Or it was, IBM X-Force researchers explained. Usually, or at least in days past, the perpetrator used the information in their own tax fraud—beyond that of fraudulently obtaining tax documents from innocent victims.

Now researchers noticed a trend, similar to the one stolen medical data took. The cybercriminals sell the information online now, often through a data broker. As with other stolen or otherwise illegitimately obtained personal information, the data broker moves on to a darknet marketplace. Various marketplaces allow the sale of stolen or hacked data. Many marketplaces in this category disappeared at some point in the past, but enough remain the sales to make it worth the vendor’s time.

The researchers also noticed a change in the way the email related tax fraud took place. Instead of simply requiring or pretending to require a victim’s tax data, the perpetrator often pretends the victim’s refund processed but he or she needed a downloadable file first. In many cases, the researchers from IBM pointed out, the file was a PDF that requested all sorts personal information. But when the victim downloaded the PDF, they also unknowingly downloaded several “macros that ran in the background” and allowed further data theft.

The stolen data or at least the stolen tax data found its way to the darknet, both in the form of singular pieces of data or in identity kids known as fullz. One vendor sold the victim’s W-2 and 1040 forms for $30. That data alone, though is not entirely useful for identity fraud. Those vendors charged another $20 for a victim’s adjusted gross income from the the previous year.

“These offers seem to be rather popular in the dark web; another vendor offers the same type of data set for sale with bulk discounts,” the researchers explained. “This could also have originated from an employer data breach and shows the popularity of stealing tax information from companies who are likely unaware it was ever stolen.”

“Judging by the data sets being sold in dark web markets, there’s a high likelihood that
cybercriminals steal tax information from employer databases,” they concluded, arguing a list of precautionary measures for fearful employers.