Hackers Dumpster Dive for Taxpayer Data in COVID-19 Relief Money Scams

Threat actors are buying and selling taxpayer data on hacker forums as well as using phishing and other campaigns to steal various U.S. government payouts.

Threat actors are using a combination of scams to obtain as well as buy and sell credentials for U.S. taxpayers to steal appropriations from the COVID-19 relief package as well as 2020 tax refunds, new research has found.

Researchers from Secureworks Counter Threat Unit (CTU) have observed an increase in various threat activity against taxpayers as well as on underground hacker forums aimed at fraudulently obtaining these various government payouts, they said in a report. Some of these efforts trace back to tax preparation services that dispose of customer hard copy paperwork insecurely via the trash. Customer data culled from that paperwork then ends up on illicit online markets where it is bought and resold.

In late March, the U.S. government passed a $2 trillion stimulus package in the form of the CARES Act, aimed at helping companies affected by the business shutdown during the coronavirus pandemic. The package includes $1,200 in individual taxpayer payments to those who qualified, representing a new opportunity for fraud alongside the usual tax-season campaigns that threat actors typically employ.
The scams observed by Secureworks CTU come in several forms, according to researchers. One is an attempt to get taxpayers to give up their information and create phony tax forms in advertisements shared on social media and other online platforms, they said.

Other attacks were more typical phishing campaigns, in which threat actors used emails with attached phishing pages disguised as the IRS tax forms required for stimulus checks, they said.

Hackers Dumpster Dive for US Taxpayer Data in COVID-19 Relief Money Scams“The threat actor can use the submitted information to impersonate the victim on IRS tax forms and obtain the victim’s tax return and stimulus check,” according to the post.

Researchers also observed a flurry of activity on hacker forums that deal in various versions of taxpayer fraud related to CARES act relief payouts and tax refunds.

One such scam shows threat actors flogging hundreds of thousands of what are called “fullz,” which in underground forums means a full set of personal data, as well as other critical data of deceased U.S. citizens that can be used to file phony tax returns and steal payouts, researchers said.

“A cybercriminal possessing a deceased individual’s data (e.g., personal information (fullz), paystubs, bank account details, individual taxpayer identification number (ITIN)) could file a fraudulent tax return for the victim and claim an applicable stimulus payment and tax refund,” researchers wrote.

In another underground forum post, an English-speaking threat actor known as “DoctorZempf” is selling data claimed to have been obtained by searching tax preparers’ trash dumpsters. The data can be used to steal identities and apply for a victim’s stimulus relief check or to craft socially engineered email campaigns against customers to commit similar fraud, the hacker claimed.

Researchers also observed bad actors selling data packages to simplify tax identity theft as well as stolen databases from tax e-filing services of fullz and taxpayer account information. One hacker even advertisesd an auction for a database that could allow a buyer to create 40,000 more tax profile data packages, researchers said.

To avoid falling victim to these emerging taxpayer threats, CTU researchers cited a link to sample phishing emails posted by the IRS so people can inform themselves and avoid fraud.

CTU researchers also recommended typical security best practices—such as multi-factor authentication and up-to-date security encryption–so clients can avoid these scenarios. They also advised victims to report any fraudulent activity to the IRS as well as a credit agency to mitigate damage.

Indeed, threat actors typically ramp up their game during tax time, but the COVID-19 pandemic also has inspired a surge in threat activity, particularly with the lure of more financial reward. Another program linked to the CARES Act—the Economic Injury Disaster Loan—also may have exposed 8,000 small-business applicants to fraud by threat actors with a data leak recently.

Researchers also observed new business email compromise (BEC) campaigns targeting government agencies who procure medical supplies aimed at stealing payments for those supplies without delivering the goods.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.