As fiscal year 2015 comes to an end, cybercriminals are looking forward to another potentially profitable tax filing season. Fraudulent tax returns are a growing problem for local and federal governments, costing taxpayers billions of dollars annually. Last year, 60 Minutes produced a story on IRS identity tax refund fraud. Although a small percentage of such fraud is carried out by individuals, the majority is perpetrated by well-organized domestic and international cybercriminal groups.
Ever since TurboTax unexpectedly and temporarily suspended state tax e-filings last year, fraudsters have been actively making advanced preparations for this year, and searching for a substitute arrangement in case anti-fraud measures have been strengthened amongst the most popular tax preparation services.
While monitoring a popular Russian cybercrime forum, Flashpoint came across a post from a very experienced and respected member of several dark web communities. In his post, originally written in Russian on December 10, 2015, the actor indicated an interest in the purchase of login credentials in support of his fraud.
“Up until January 5, I will identify all personal information associated with your accounts and order a card under the victim’s name. Until it’s done, you can not touch these accounts. Once it is complete, I will return all credentials to you and feel free to use it as you wish. Beginning from January 20-25 I will start filing the returns. Requests are usually processed within 2-3 weeks and in case of success, the money will be deposited to my cards, which will be passed to the cashier.”
As of this writing, Flashpoint has not observed any previous offerings or interest in obtaining login credentials of US clients of Automated Data Processing (ADP) related to tax fraud. However, considering the highly reactive nature of the cybercriminal world to the possible emergence of new income streams, we anticipate increased attention to the company from fraudsters.