W-2 – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: W-2 Theft, BEC Scams, and SEC Guidance

The FBI is once again warning organizations that there has been an increase in phishing campaigns targeting employee W-2 information. In addition, this week saw new breach notifications related to W-2 theft, as well as reports of a threat actor targeting Fortune 500 companies with business email compromise (BEC) scams in order to steal millions of dollars.

The recent breach notification from Los Angeles Philharmonic highlights how W-2 information is often targeted during the tax season: attackers impersonated the organization’s chief financial officer via what appeared to be a legitimate email address and requested that the W-2 information for every employee be forwarded.

“The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization,” the FBI noted in its alert on W-2 phishing scams.

In addition, researchers said that a threat actor, which is likely of Nigerian origin, has been successfully targeting accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers and steal millions of dollars. The examples observed by the researchers highlight “how attackers used stolen email credentials and sophisticated social engineering tactics without compromising the corporate network to defraud a company.”

The recent discoveries highlight the importance of protecting against BEC and other types of phishing scams. The FBI advises that the key to reducing the risk is understanding the criminals’ techniques and deploying effective mitigation processes, such as:

limiting the number of employees who have authority to approve wire transfers or share employee and customer data;
requiring another layer of approval such as a phone call, PIN, one-time code, or dual approval to verify identities before sensitive requests such as changing the payment information of vendors is confirmed;
and delaying transactions until additional verification processes can be performed.

Other trending cybercrime events from the week include:

Spyware companies hacked: A hacker has breached two different spyware companies, Mobistealth and Spy Master Pro, and provided gigabytes of stolen data to Motherboard. Motherboard reported that the data contained customer records, apparent business information, and alleged intercepted messages of some people targeted by the malware.
Data accidentally exposed: The University of Wisconsin – Superior Alumni Association is notifying alumni that their Social Security numbers may have been exposed due to the ID numbers for some individuals being the same as their Social Security numbers and those ID numbers being shared with a travel vendor. More than 70 residents of the city of Ballarat had their personal information posted online when an attachment containing a list of individuals who had made submissions to the review of City of Ballarat’s CBD Car Parking Action Plan was posted online unredacted. Chase said that a “glitch” led to some customers’ personal information being displayed on other customers’ accounts.
Notable data breaches: The compromise of a senior moderator’s account at the HardwareZone Forum led to a breach affecting 685,000 user profiles, the site’s owner said. White and Bright Family Dental is notifying patients that it discovered unauthorized access to a server that contained patient personal information. The University of Virginia Health System is notifying 1,882 patients that their medical records may have been accessed due to discovering malware on a physician’s device. HomeTown Bank in Texas is notifying customers that it discovered a skimming device installed on an ATM at its Galveston branch.
Other notable events: The Colorado Department of Transportation said that its Windows computers were infected with SamSam ransomware and that more than 2,000 computers were shut down to stop the ransomware from spreading and investigate the attack. The city of Allentown, Pennsylvania, said it is investigating the discovery of malware on its systems, but there is no reason to believe personal data has been compromised. Harper’s Magazine is warning its subscribers that their credentials may have been compromised.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

Cyber Risk Trends From the Past Week

The U.S. Securities and Exchange Commission (SEC) issued updated guidance on how public organizations should respond to data breaches and other cybersecurity issues last week.

The document, titled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” states that “it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The SEC also advised that directors, officers, and other corporate insiders should not trade a public company’s securities if they are in possession of material nonpublic information — an issue that arose when it was reported that several Equifax executives sold shares in the days following the company’s massive data breach. The SEC said that public companies should have policies and procedures in place to prevent insiders from taking advantage of insider knowledge of cybersecurity incidents, as well as to ensure a timely disclosure of any related material nonpublic information.

“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” said SEC Chairman Jay Clayton. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

The SEC unanimously approved the updated guidance; however, Reuters reported that there was reluctant support from democrats on the commission who were calling for much more rigorous rulemaking to be put in place.

Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations

Stolen W-2 information was back in the news this week due to reports of another W-2 breach as well as new data from IRS officials on the threat. The latest breach involves TALX, an Equifax subsidiary that provides online payroll, HR and tax services. KrebsOnSecurity reported that an undisclosed number of customers were affected when malicious actors were able to gain access to employee accounts containing sensitive data.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote an attorney in one breach notification letter. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

The extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, but that at least five organizations have received letters from Equifax about a series of incidents over the past year, Krebs reported. Those included defense contractor giant Northrop Grumman, staffing firm Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville. In addition to those companies, an IRS official said that 870 organizations reported receiving a W-2 phishing email over the first four months of 2017, and about 200 of those companies lost data as a result. That was a significant rise from 2016’s numbers, which included about 100 reports and 50 confirmed breaches. The official said that the increase was driven by progress made against identity theft, which has pushed cybercriminals to need more personal data to able to impersonate taxpayers. As a result, there has been a shift towards targeting those in the payroll industry.

Other trending cybercrime events from the week include:

Men plead guilty to trade secret theft: A Chinese national has pleaded guilty to economic espionage and theft of a trade secret in relation to the theft of proprietary source code from his former employer, an unnamed U.S. company. As a developer, the man had access to a clustered file system developed and marketed by his employer as well as its underlying source code, the DOJ wrote. The man attempted to use the stolen source code to start a large-data storage technology company, according to communication he had with undercover officers. An engineer at a defense contractor has pleaded guilty to selling sensitive satellite information stolen from his employer to a person he believed to be an agent of a Russian intelligence service. In a series of meetings between February and July of 2016, the man sought and received thousands of dollars in cash payments for the trade secrets.
New data breaches announced: Williamson County Schools in Tennessee said that approximately 33,000 current and former WCS students had their usernames, encrypted passwords, and email addresses compromised due to a breach at third-party vendor Edmodo, a free classroom tool that allows students and teachers to share files and assignments. A data breach at the Florida Department of Agriculture and Consumer Services has exposed the names of 16,190 concealed weapon licensees as well as the Social Security numbers of 469 individuals. Approximately 3,000 individuals had their information compromised due to unauthorized access to a city computer in Stillwater, Oklahoma. UW Health said that 2,036 patients had their personal information compromised due to an unauthorized individual gaining access to an employee’s email account. The Canada Revenue Agency has fired an employee for improperly accessing the accounts of 1,302 taxpayers. A breach at Blackburn High School led to the theft of personal information of families, and that information was then used to send phishing emails to parents asking them to provide their payment card details.
Russia targeted Pentagon employees’ Twitter accounts: Russia sent more than 10,000 phishing messages to Defense Department officials with the goal of getting the officials to click a malicious link and, ultimately, gain control of their devices and Twitter accounts. The efforts took place after the 2016 presidential election and were disclosed in in a March report to U.S. counterintelligence officials investigating Russian interference efforts. The compromised accounts could have been used to spread false information, as has been done in the past by Russian hacking groups.
Hacking groups arrested: Twenty members of the Russian hacking group behind the Android Trojan “Cron” have been arrested. The group managed to infect over one million mobile devices and stole approximately $800,000 from Russian banks. Twenty-seven individuals tied to a series of ATM “Black Box” attacks across Europe have been arrested. A “Black Box” attack is a method of ATM jackpotting where criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect an unauthorized device that sends commands directly to the ATM cash dispenser in order to “cash-out” the ATM. Sixteen individuals have been arrested related to the theft of a copy of Baahubali 2 and subsequent ransom attempt from the movie’s producers, Arka Mediaworks Entertainment Ltd.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

It is now less than one year until the EU General Data Protection Regulation (GDPR) goes into effect, yet some organizations are either unaware of the upcoming privacy changes or believe they will have issues meeting next year’s deadline, according to recent research.

The GDPR was approved by the EU parliament in April 2016, and the new regulation will be fully enforceable on May 25, 2018. Among the most talked about changes from the upcoming regulation is the increase in potential fines for data breaches. Breached organizations can be fined as much as 4% of their annual global turnover or €20 million, whichever is greater, when it comes to serious violations. Lesser violations are subject to half the maximum penalty — up to €10 million or 2% of turnover. As the NCC Group noted, those new numbers mean that last year’s ICO fines could have been 79 times higher: £69m rather than £880,500 in total.

“TalkTalk’s 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to £59m under GDPR,” The Register noted last month. “Fines given to small and medium-sized enterprises could have been catastrophic. For example, Pharmacy2U’s fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.”

It is important to note that the new regulations generally apply to any organization that offer of goods or services to individuals in the EU, so the GDPR has global implications. However, a recent study of 500 organizations in the UK, Germany, France, and the U.S. found that 75% of organizations indicated they will struggle to be ready for next year’s deadline. According to the Varonis survey, the top three challenges facing organizations around GDPR include:

Article 17 (“Right to be forgotten”), where they must discover and target specific data and automate removal when requested by the consumer
Article 30 (Records of processing activities), including identifying personal information on their systems, understanding who has access to it and who is accessing it, and knowing when this data can and should be deleted
Article 32 (Security of processing), which means ensuring least privilege access, implementing accountability via data owners, and providing reports that policies and processes

For organizations looking to learn more about preparing for GDPR, ICO has a 12-step guide available.

IRS and Cybercriminals Battle Over Billion Dollar Tax Fraud Industry

While new initiatives by the Internal Revenue Service (IRS) are making it harder for cybercriminals to successfully file fraudulent tax returns, those measures have not slowed down the theft of employee W-2 information this year.

The SurfWatch Labs analyst team has observed groups of malicious actors sharing concerns about government efforts to combat fraud, as well as tips on how those protections can be circumvented, in several discussion threads on popular dark web markets. Several of those actors suggested teaming up with other seasoned cybercriminals in order to share tactics and improve their success rates in the face of the new measures. “We’re gonna have to join forces if we are going to beat the odds this year,” wrote one actor on a now-deleted tax fraud discussion thread. Another actor in a separate thread echoed those sentiments: “The process has become much more difficult over the past couple of years, but [it’s] still doable to some extent. Not like in the good ‘ole days though.”

Another actor expressed concern over new verification codes to be included on 50 million W-2 forms during the 2017 tax season — up from two million forms using the codes last year. “My guess is if this is successful, then within 2 years it will be on every W2,” the actor wrote.

An actor in a tax fraud discussion thread speculating that the verification codes used on some W-2 forms may become more widespread in the future.

The IRS has partnered with certain Payroll Service Providers this tax season to provide a 16-digit code designed to help verify the accuracy of millions of W-2s. However, as the IRS noted in its announcement, the verification rollout is only a test and “omitted and incorrect W-2 Verification Codes will not delay the processing” of returns filed this year. Other more tangible efforts to combat tax fraud include the IRS holding any refunds claiming the Earned Income Tax Credit or the Additional Child Tax Credit until February 15 to provide more time to verify the accuracy of returns, and the requirement of an individual’s date of birth and previous-year’s adjusted gross income when using tax software for the first time. Some states also ask for additional identification information, such as driver’s license numbers, in order to file their returns.

Additional anti-fraud efforts have come largely because of the large volume of fraudulent tax returns filed each year. Over the first nine months of 2015, the IRS confirmed that 1.2 million fraudulent tax returns made it into the agency’s tax return processing systems. Attempts to combat the massive amount of fraud resulted in 787,000 fraudulent returns over the same period in 2016 — a nearly 50 percent drop. It’s too early to say how 2017 will fare in terms of the number of fraudulent returns and the total cost to the IRS. What is clear is that cybercriminals are continuing to target tax-related information such as W-2s despite those changes — and they’re having great success.

As I’ve noted in other articles, cybercriminals follow the path of of least resistance and most profit. While cybercriminals face more resistance than in the past, their motivation, opportunity and capability are clearly still there.

Tax-related cybercrime is cyclical, and cyber threat intelligence around the subject peaks around this time every year. However, this past February was the most active month in terms of the volume of data SurfWatch Labs has collected around tax fraud since May 2015, and that spike in 2015 was due to a large amount of threat intelligence data surrounding the theft of taxpayer information from the IRS’ “Get Transcript” service.

The amount of SurfWatch Labs’ tax-related cyber threat intelligence data peaked in February (data through March 6, 2017).

Much of the recent data directly relates to phishing incidents that have resulted in the theft of employee W-2 information. As we wrote in a blog early last month, malicious actors are using the same simple but effective phishing tactics that led to last year’s wave of successful W-2 thefts. This week we saw the number of organizations that have publicly confirmed breaches due to W-2 phishing surpass 100 for the year, and that number does not even include the numerous organizations that had W-2 information stolen through other means, such as data breaches or incidents at tax preparation firms or payroll providers.

That stolen W-2 information is then used to file fraudulent tax returns, commit other forms of identity theft, or sold on various dark web markets for around $10 each. That can translate into a decent profit for a cybercriminal actor who can successfully dupe a handful of payroll or human resource employees into handing over hundreds — or thousands — of W-2 forms at a time.

A vendor from AlphaBay says they have “tons” of stolen W-2 tax forms for sale for only $10 each.

But as we noted above, W-2 forms are now only part of the information needed to successfully dupe the IRS. Many returns will also need information such as the individual’s date of birth and previous year’s adjusted gross income. That information can be harder to come by, and how to best obtain that information is one of the key discussion points on the cybercriminal forums observed by our analysts.

“How do I get to know the AGI [Adjusted Gross Income]?” one actor asked the group in a discussion thread on a dark web forum. Another actor, who claims to have gone solo this year after previously being part of a group engaged in tax fraud, said information such as AGI generally requires other forms of data collection or social engineering. “You’ll have a tricky time getting it,” the actor warned. Later, the actor advised that AGI can often be found in an individual’s car note or home loan documentation.

An actor responding to previous posts about finding AGI figures, as well as the value of targeting 1120S corporate tax forms.

In a separate thread, the same actor wrote a long post that is part inspirational pep talk to wannabe fraudsters frustrated by the recent changes, part FAQ on how to best perform tax fraud. We won’t share the full details of that post here (including details such as which financial institutions and methods work best for receiving fraudulent tax return payments), as this post is meant to help illuminate the thought process of cybercriminals, not to serve as a walkthrough on how to successfully commit tax fraud. Nevertheless, the section on how to find an individual’s AGI is worth noting due to the lengths the actor claims to go — and may now need to go — in order to pull off a successful season of tax fraud.

The actor explained, “For everyone I targeted, I started researching them 6 months ago” by looking through public data for things like birth announcements (to “add that baby child credit”) or for minor offenses such as driving under the influence (to find people who have jobs “in the good bracket” that are also more likely to be “one of the last minute tax filers”).

“Lots of social engineering goes into this as well,” the actor wrote. “I have even been so bold to call some, pretending to solicit them into ‘free tax assistance’ [to] find out when they plan on filing.”

An actor offering advice on how to scout targets for tax fraud.

That extra legwork is why listings on dark web markets that include information such as AGI tend to sell at much higher prices than those without. For example, the listing below, which “contains all info needed for filing [a] tax refund,” was priced at $50, five times the price of a listing selling only stolen W-2 information.

A listing on the Hansa Market selling W-2 information along with the victim’s date of birth and the previous year’s adjusted gross income.

These discussions indicate that efforts made by the IRS, financial institutions, and others have made the practice of filing fraudulent tax returns more difficult for cybercriminal actors. Despite those efforts, a number of tax-related breaches continue to occur and a great deal of effort continues to be made by malicious actors to successfully bypass those protections and steal a slice of that lucrative tax pie.

As one actor reminded everyone: “Tax fraud is a billion dollar entity. Take your cut along with the others. Don’t be dissuaded.”

Weekly Cyber Risk Roundup: New PoS Breaches and Simple Attacks

The week’s top trending event was the compromise at Freedom Hosting II, which has been estimated to host as much as 20 percent of active dark web sites. As a result, thousands of dark web sites were taken offline, and the stolen data has since been widely shared.

Security researcher Troy Hunt, who reviewed some of the data, said that 381,000 email addresses were exposed along with a 2.2GB MySQL file that contained database backups of customers with “a very broad range of data from different systems.” Hunt added that “a significant amount” of that data is illegal. The hacker taking credit for the incident told Motherboard that the discovery of 10 sites hosting child pornography was the impetus for escalating the attack from read-only access to gaining system privileges, which was done using a 21-step process.

The other big news of late is the announcement of several new point-of-sale data breaches. InterContinental Hotels Group announced a point-of-sale breach affecting customers who used payment cards at the restaurants and bars of 12 properties, and fast-food chain Arby’s confirmed that malware was discovered on the payment systems of corporate locations. The incidents mirror the beginning of 2016, which saw similar breach announcement from Hyatt hotels and fast-food chain Wendy’s. The IGH breach is smaller than last year’s Hyatt announcement, which likely affected guests at 250 hotels, but the Arby’s breach may be comparable to the Wendy’s breach, which affected 1,025 locations.

More than 1,000 of the 3,300 total Arby’s restaurants are corporate owned; however, not every corporate location was affected, an Arby’s spokesperson said. Arby’s has yet to release official numbers or dates of the incident, but PSCU, a service organization that serves more than 800 credit unions, issued a non-public alert saying that more than 355,000 payment cards issued by PCSU member banks were compromised due to an incident at “a large fast food restaurant chain, yet to be announced to the public.” PCSU also estimated that the fast-food chain breach occurred between Oct. 25, 2016, and January 19, 2017.

Other trending cybercrime events from the week include:

Polish financial regulator used to spread malware: A malicious actor compromised the internal systems of the Polish Financial Supervision Authority and used the financial regulator to spread malware to Polish banks. According to The Register, a modified JavaScript file likely resulted in visitors to the regulator’s site loading an external file that led to malicious payloads. A spokesperson said the regulator decided to take its entire system offline “in order to secure evidence.” Polish media have described the incident as the most serious attack ever on the Polish banking industry.

Extortion attacks continue: Taiwan brokerages are receiving DDoS extortion emails claiming to be from the group known as the “Armada Collective,” and several brokerages have reported DDoS attacks following those ransom demands. A malicious actor gained accessed to millions of messages and documents from the computer system of Doyen Global and leaked numerous emails from soccer star David Beckham after a failed blackmail attempt of “between €500,000 and a million.”

More government attacks: An attack against the Italian foreign ministry last spring compromised email communications for many months, but it did not affect the encrypted system used for classified communications. The Russian-linked APT 29 hacking group has been targeting Norwegian organizations with spear phishing emails. The attorney for Little Egg Harbor believes someone within the township is stealing data from the municipal computer systems and handing that confidential information over to a local political blogger. Hackers may have used stolen passwords to gain access to a Bureau of Consular Affairs email account that serves as a contact window to 117 Taiwanese overseas offices around the world. The former NSA contractor who faced charges in 2016 relating to the theft of 50 terabytes of highly sensitive data, allegedly stole more than 75 percent of the hacking tools belonging to the NSA’s elite hacking group known as the Tailored Access Operations.

Stolen and leaked databases: A database from the law enforcement forum PoliceOne was stolen in 2015 and the information of 700,000 members has been publicly distributed. A group of hackers claim to have a database of 20 million records stolen in 2014 from Bin Weevils, a British online children’s game owned by 55 Pixels. An actor using the name “zerodark70” is selling a database of 83,000 accounts from UPI.com, the website of the news agency United Press International. A large portion of the anti-piracy company Denuvo’s web database content is unsecured, and as a result information submitted via the company’s public contact form dating back to April 2014 has been posted online.

Other cybercrime announcements: A vulnerability in an October 2016 software update for the Michigan Data Automated System has exposed as many as 1.87 million Michigan workers’ information to a third-party vendor. UK sports retailer Sports Direct experienced a breach due to an attacker exploiting vulnerabilities in the unpatched version of the DNN platform the company was using to run a staff portal. Computer supplier Logic Supply announced there was unauthorized access to the company’s website on February 6, 2017. UK magazine publisher Future announced that its FileSilo website was breached. Singn and Arora Oncology Hematology in Michigan announced a data breach affecting 22,000 individuals.

Cyber Risk Trends From the Past Week

The past week saw the continuation of several stories highlighted in recent risk reports.

For starters, malicious actors are exploiting the recently announced severe content injection vulnerability found in the WordPress REST API, which was fixed in the WordPress 4.7.2 update. At least twenty-four different campaigns are actively defacing WordPress sites. WordFence, which said that this is “one of the worst WordPress related vulnerabilities to emerge in some time,” reported that nearly 1.9 million defaced web pages have been indexed by Google as of February 10.

WordPress has an automatic update feature to protect against newly announced exploits being used by malicious actors, but a large number of websites appear to have disabled that feature and have not updated to version 4.7.2, which has been available since January 26.

As SurfWatch Labs continues to stress in blogs and articles, cyber threat intelligence clearly shows that the security threats are not as complex as some media and vendors make them out to be. Another example of simple but effective attacks is the growing number of organizations publicly tied to W-2 related breaches. Two weeks ago we wrote that the 2017 W-2 breach count had rose to 24 organizations. By last Friday that number had risen to 40. By Monday morning, it rose again to 48 – including school districts, colleges, healthcare organizations, manufacturers, payroll providers, restaurants, retailers and more.

IRS Commissioner John Koskinen warned that “this is one of the most dangerous email phishing scams we’ve seen in a long time.” These impersonation emails, also known as business email compromise scams, have proven to be effective, and they are costly for the organizations that fall victim to them. But they are not complex. They rely on three simple and straightforward aspects all good impersonators utilize:

A simple backstory – The malicious actors utilize the built-in story of tax season.
Appearing as though they belong – The emails matter-of-factly request information that is relevant to the payroll and human resource departments being targeted.
Projecting authority – The requests appear to come from a higher-up such as a school superintendent or executive.

Many attacks that lead to data breaches are not sophisticated efforts carried out by actors using zero-day exploits; rather, they are opportunistic attacks leveraging public vulnerabilities and simple social engineering tactics. When it comes to managing cyber risk, ensure your organization can defend against these basic attacks before addressing more advanced – and often far less relevant – cyber threats.

W-2 Breach Count Hits 24, Rising Fast as More Organizations Get Phished

Tax season has begun, and with it comes renewed opportunity for cybercriminals to steal W-2 information in order to file fraudulent tax returns or sell employee data on the dark web. The past two weeks have seen at least 24 organizations publicly tied to W-2 data breaches — and more breach announcements will likely be made in the coming months.

The simple but effective phishing emails used by malicious actors mirror last year’s wave of successful W-2 thefts. The scammers impersonate an executive and use that authority, along with the timeliness of tax season, to dupe payroll and human resource employees into handing over entire rosters of W-2 information at once.

W-2 breaches and other tax-related cybercrime has peaked in the early part of the past few years, according to SurfWatch Labs’ cyber threat intelligence data, and it will likely peak again in early 2017. The spike in CyberFacts in May 2015 is largely attributed to the announcement of the theft of taxpayer information from the IRS’ “Get Transcript” service.

Numerous organizations have fallen for the ruse so far in 2017, including:

School districts such as Argyle Independent School District in Texas, Belton Independent School District in Texas, Davidson County Schools in North Carolina, Dracut Public Schools in Massachusetts, Lexington School District Two in South Carolina, Mercedes Independent School District in Texas, Morton School District in Illinois, Odessa School District in Missouri and Tipton County School District in Tennessee.
Healthcare-related organizations such as Campbell County Health, eHealth, Kuhana Associates, Persante Health Care and Pointe Coupee General Hospital.
A variety of businesses in other sectors such as online ad management platform Marin Software, furniture company Mitchell Gold + Bob Williams, solar financing company Renovate America, restaurant chain Scotty’s Brewhouse, residential solar company SunRun, translation services company TransPerfect, and UGI Utilities.

In addition to those organizations, Brian Krebs reported that an actor on the dark web is selling stolen W-2 information tied to more than 3,600 individuals. Information purchased by a source revealed data from Kirai Restaurant Group in Fort Lauderdale and an unnamed doctor’s office in Boca Raton. However, both of those organizations told Krebs that they used a third-party payroll management firm called The Payroll Professionals. That company said it is “aware of the potential hacking” but has yet to make a public announcement.

Altogether that means 24 distinct organizations have been tied to W-2 breaches so far this year, plus any additional clients that may be tied to the incident at The Payroll Professionals.

At least seven of the victims so far have been in the education group, and there have been reports of an even larger number of school districts being unsuccessfully targeted with similar phishing emails. This falls in line with trends from last year’s threat intelligence data.

2017-02-02_taxgroups2016 — Education topped the list of industry groups publicly tied to W-2 breaches and other tax-related cybercrime in 2016, and schools are being heavily targeted once again in 2017.

The IRS issued an alert last week warning organizations to be on the lookout for these types of phishing scams, which may include requests in the email body such as:

Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The scam relies on tricking employees into emailing sensitive information. The best way to combat these types of threats is to ensure that employees are aware of ongoing phishing campaigns and that those employees are properly trained on the best ways to defend against social engineering.

Organizations should use a combination of user-awareness/education and anti-phishing tools to keep employees continually informed of evolving phishing campaigns and to have some mitigation and policy enforcement in place. By creating a culture where employees are encouraged to question unusual requests and confirm those requests via a secondary communications channel, organizations can greatly reduce the risk of employees falling for these types of scams.

What Can We Learn About Social Engineering From Impersonation?

With organizations losing billions of dollars due to business email compromise scams and thousands of employees having their W-2 information sent to criminals each week, it can be easy to think, “How can people be so dumb and keep falling for these same tricks?”

When it comes to socially engineering an employee, most people think of email phishing
— and last week we discussed some ways to defend against those threats — but I think the best way to truly understand those cyber threats is to first remove those technology aspects and look at one of the oldest cons around: impersonation.

I love a good impersonation story. Don a disguise. Create a good backstory. Trick some people into doing something they shouldn’t.

It makes for great drama.

Unsurprisingly, when researching how businesses are being compromised by social engineers, nearly all of my favorite examples involved the tactic. Impersonation stories are important because they highlight how simple and effective techniques can be used to lead to a major compromise at an organization.

For example, Christopher Hadnagy, CEO of Social Engineer, Inc., recounted on our social engineering podcast how two ticket-less fans were able to watch the Super Bowl from $25,000 seats by sneaking into the event with a group of first aid workers and then simply acting “super confident.”

Likewise, Chris Blow, a senior advisor at Rook Security, likes to pretend to be an exterminator to test a company’s security. In one instance, he was thwarted by a well-trained receptionist who noticed the con; however, all he had to do was drive around back and find more “helpful” employees — who then let him into sensitive areas where he could access a variety of valuable information.

They Literally Handed Him Their Money

My favorite social engineering story occurred decades before email became popular and everyone learned of the term “phishing.” It was done by conman turned FBI consultant Frank Abagnale, who claims to have duped dozens of individuals into handing him their businesses’ money simply by posing as a security guard.

As the story goes, Abagnale noticed how car rental companies would deposit their money in an airport drop box each night, so he bought a security guard outfit and put a sign over the drop box saying “Out of service, place deposits with security guard on duty.”

According to his autobiography, he stood there amazed as people handed him a total of $62,800.

You may hear that story and wonder why all of those people would trust some random guy with a sign. But is that any different than the cybersecurity pros today who are dumbfounded when a person gives their password to an “IT guy” over the phone? Or when an employee hands over their credentials because an email told them to do so?

Simple, effective scams work, have always worked, and when done in person by a skilled social engineer, can be even more effective.

Defending Against Social Engineering

What can we learn from these impersonators?

For one, social engineering is very effective, which is why the FBI and others are warning of a dramatic increase in business email compromise (BEC) scams. From October 2013 through February 2016, from just this one type of social engineering, there were more than $2.3 billion in losses across 17,600 victims.

Scam artists understand precisely how easy it can be to dupe people, and the same techniques are used in social engineering via phishing and phone. The story above is one of my favorites because Abagnale combines three of those common tactics in one scam: a simple backstory, appearing as though he belongs, and projecting authority.

A Simple Backstory — Whether in person, over the phone or via email, scammers will have all sorts of stories that prey on people’s desire to help. Those handling sensitive information such as W-2 information should always be skeptical about who and why they are sharing that information, but that is often not enough. Having clear policies for employees to fall back and procedures for sharing sensitive information on can help ensure an employee does not get duped due to their desire to be helpful.
Appearing as Though They Belong — As the FBI noted in a BEC warning, it’s important to know the habits of customers, coworkers and vendors and to beware of any significant changes. A person may appear as though they belong by impersonating those who have legitimate access. In some BEC attacks, the malicious actors compromised email accounts and waited for weeks or months to learn the communication habits before attempting their scam. Employees should be encouraged to report any suspicious activity and be continuously trained so that the front line of defense is armed to look out for the latest and most relevant social engineering threats.
Projecting Authority — The impersonation of authority figures is a large reason for the billions of dollars being lost to these social engineering scams. Just because a call or email appears to come from the CEO or other figure, be wary of any attempts to disclose data or gain access. Authenticating important requests through several channels such as both email and phone can help to prevent many social engineering attempts.

People want to be helpful. They tend to trust others. Good social engineers exploit those tendencies. The influx of technology has only expanded the reach of scam artists; the techniques remain the same. If an organization and its employees understand why social engineering works, then it’s much easier to combat some of those common tactics and keep the business safe.

W-2 Data Breaches Were Abundant During 2015 Tax Season

The 2015 tax season has ended, signaling a potential break in the number of tax-related data breaches we read about in the news. The list of companies suffering from these cyber-attacks seemed to grow weekly and nearly 100 companies have been publicly tied to W-2-related breaches in 2016. SurfWatch Labs collected a multitude of CyberFacts pertaining to W-2 and tax data breaches during the 2015 tax season.

2016-04-25_Tax_groups — Tax-related cybercrime impacted companies across a wide variety of industry groups in 2016.

The IRS, predictably, has the most CyberFacts related to tax and W-2 cybercrime in 2016. The IRS has suffered massive data breaches within the last year. In 2015, the IRS exposed 700,000 taxpayer accounts through its “Get Transcript” service. Last February, the IRS was breached again, with more than 100,000 stolen Social Security Numbers used to successfully access an E-file PIN. Events like these have lead to predictions that the IRS will lose $21 billion to cyber fraud and fake tax returns in 2016.

Surprisingly, the group Higher Education also received a lot of discussion, with the high profile W-2 data breach at the University of Virginia leading the way in terms is discussion.

2016-04-25_tax_itt — *The chart above lists the top trending organizations pertaining to tax and W-2 cybercrime for the most talked about industry groups. The IRS garnered the most discussion of any organization.*

IRS and FBI Release Warnings About Tax Fraud

In March, the IRS released an alert about tax fraud which described various methods used by criminals to obtain W-2 and tax information. The alert provided information on several areas individuals and organizations leave themselves vulnerable to compromise:

Abusive Return Preparer
“Taxpayers should be very careful when choosing a tax preparer. While most preparers provide excellent service to their clients, a few unscrupulous return preparers file false and fraudulent tax returns and ultimately defraud their clients. It is important to know that even if someone else prepares your return, you are ultimately responsible for all the information on the tax return.”

Abusive Tax Schemes
“Abusive tax scheme originally took the structure of fraudulent domestic and foreign trust arrangements. However, these schemes have evolved into sophisticated arrangements to give the appearance that taxpayers are not in control of their money. However, the taxpayers receive their funds through debit/credit cards or fictitious loans. These schemes often involve offshore banking and sometimes establish scam corporations or entities.”

Nonfiler Enforcement
“There have always been individuals who, for a variety of reasons, argue taxes are voluntary or illegal. The courts have repeatedly rejected their arguments as frivolous and routinely impose financial penalties for raising such frivolous arguments. Take the time to learn the truth about frivolous tax arguments.”

The FBI also released a warning in March related to the rise of Business Email Compromise (BEC) scams targeting businesses and individuals within organizations. BEC scams have gained notoriety for defrauding organizations out of money. However, BEC scams can also be used to obtain information from organizations — including W-2 and tax information.

“Based on complaint data submitted to IC3, B.E.C. victims recently reported receiving fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information prior to a traditional BEC incident,” the warning read.

A “traditional” BEC attack starts with a fraudulent request that is sent utilizing a high-ranking executives spoofed email. In this case, the email is sent to a member of an organization who handles employee W-2 and tax information. The email will appear to be an urgent message requesting all employee W-2 information.

This is what happened at Sprouts Farmers Market, which is facing a class action lawsuit after an employee fell for a BEC scam and forwarded W-2 information on all 21,000 of the company’s employees to a malicious actor.

Protecting Yourself From Tax Fraud

One of the biggest vulnerabilities we face concerning our data is that it is handled by other human beings. Humans make mistakes, and cybercriminals capitalize on this. Since corporations cannot guarantee your data will be safe in their hands, you must remain vigilant and prepare yourself for the possibility that your tax information could be stolen.

Here are a few tips on protecting yourself from tax fraud in 2016:

File Your Taxes Early: The early bird gets the worm; this also rings true when filing tax returns. If you file your tax return before a criminal does you’re in a much better position, as the tax return will already be marked as filed, preventing anyone else from filing a tax return with your credentials.

Avoid Password Reuse: Poor password management is one of the leading problems in cybersecurity. Remembering passwords can be cumbersome, so we do what is in our nature — we take shortcuts. Unfortunately, taking shortcuts on password management can lead to many problems. Employees have historically been shown to use the same password across several accounts, which could leave an organization vulnerable to compromise. In this scenario, a cybercriminal could obtain an employee’s login credentials from another site (Facebook is a good example) and use it to log into several accounts — even the employee’s account within an organization. Make sure employees are aware of the problems with password reuse. Also, make sure passwords are utilizing capitalization, numbers, symbols and are at least 8 characters long. Organizations can take this one step further and enable two-factor authentication, which would require an additional login step before employees, or malicious actors, could access accounts.

Educate Employees About BEC Scams: Employees are one of the primary targets in tax fraud. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Deploy Security: While there are plenty of examples that show security tools are not a 100% guarantee of protection, features such as firewalls and antivirus software are paramount when it comes to securing your data. It is also important to make sure these tools and other software — such as your operating system — are current on updates. The latest updates could provide patches to vulnerabilities in older versions of the software.