The deadline for filing taxes in the United States is eight weeks away, but new research has shown that small businesses are already being hit by tax season–related cyber-attacks.
Research conducted by Proofpoint indicates that attackers are “aggressively jumping into tax season,” with the deployment of two main attack strategies.
The first strategy is to send tax-themed emails with enticingly titled malicious attachments, such as "Important changes, filing due date and charges to form 1099."
The second tactic is to compromise legitimate tax-focused websites to deliver malware to people who visit the sites. Data gathered so far indicates that small businesses that specialize in tax preparation are a particular focus for website compromise cyber-attacks this tax season.
“If you have the word 'tax' in your domain name, you're a target this year. And while the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately,” said senior director of threat research and detection at Proofpoint, Sherrod Degrippo.
Attackers were observed gaining access to legitimate tax-focused websites via unpatched and out-of-date WordPress and other content management system installations. Code planted by attackers on compromised sites downloads malware onto the systems of people who visit in an attempt to access and steal their data. Researchers noted that code was often hosted elsewhere to make the compromise harder to spot.
Degrippo said: “In these attacks, we’ve seen the sites of smaller tax preparation and accounting firms targeted and compromised. This makes sense because smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they’ve happened.”
Describing the most sophisticated threat observed by researchers and how dangerous such attacks can be, Degrippo told Infosecurity Magazine: "A recent attack observed spoofed the full branding of a very well-known tax preparation service in the US for both the lure and the landing page for credential phishing. If a threat actor is successful in obtaining an authentic W2, they can potentially file taxes on behalf of that person, receiving the refund to their own account instead of the actual taxpayer."
Degrippo warned that phishing emails are now dangerously sophisticated.
"With the introduction of social engineering, phishing emails have become nearly indistinguishable from legitimate emails. They use trusted brands, and the correct logos, format, and wording as an email that might be expected from that brand.
"Attackers are adept at using LinkedIn and Google to conduct reconnaissance on potential individuals that have access to the information they want and are laser-focused on targeting them directly through email. And they are continuing to use email because it’s cheap, easy to use, and above all, effective."