ThreatList: Tax Scammers Launch a Raft of Fake Mobile Apps

tax day scams, fake apps

Convincing phishing pages and millions of suspicious apps are plaguing tax season.

Tax Day in the U.S. is looming on Monday, and as people rush to do their last-minute filing, scammers are out in full force, targeting consumers and businesses alike.

According to RiskIQ numbers, the internet is awash in crafty schemes and dangerous threat campaigns that exploit the convenience of popular e-filing systems such as H&R Block and TurboTax. These are being carried out via phishing pages, domain infringement and, in record numbers, fake mobile apps.

“RiskIQ is seeing a spike in these outside-the firewall-threats with attacks fooling consumers into downloading malware, using compromised sites, or giving up their login credentials and credit-card information,” the firm said in its report, released this week.

In an automated crawl of mobile app stores, RiskIQ found 4.2 million total mobile apps matching common tax keywords and brands. Out of those, 30 percent or 1.2 million were blacklisted, i.e., found to be exhibiting suspicious behavior.

tax fraud and scams

Click to enlarge.

While most official mobile apps for filing taxes are very secure—they do not store any data on a customer’s phone or device and have a host of additional security features, including password protection, multi-factor authentication and Touch ID account authentication for iPhone—it’s the fake apps that people need to watch out for. For instance, a mobile app hosted on the Ninestore app store that impersonates an H&R Block application requires far too many permissions that are incredibly intrusive and have nothing to do with the purported functionality of the app.

“These permissions include the ability to access the camera, record audio, download data without notification and change settings,” according to the report. “Essentially, this app can spy on everything a user does, even if they are not actively using their phone, change any setting on their phone, and download anything it wants without the user’s knowledge.”

Obviously apps from third-party sites like Ninestore should always be viewed as potentially dodgy, but RiskIQ said that even the official Apple App Store and Google Play have also been observed hosting malicious tax-season apps.

“[A] blacklisted app hosted in the Google Play store claims to be a helpful tax calculation software, but in reality, phishes information from users: The app requests a very extensive list of information that could allow the attacker to take complete control of the victim,” according to the findings.

On the web front, RiskIQ also found 1,235 instances of phishing sites targeting online tax filers, and 468 suspicious URLs.

tax phishing page

A very convincing phishing page.

For one of the most common e-filing services, RiskIQ found more than 19,500 instances of domain infringement targeting it.

“Attackers are … directly scamming end-users with high-volume phishing and domain infringement campaigns,” the report noted. “These attacks are cheap to execute, and they are proving to be incredibly efficient in breaching sensitive data.”

Of course, tax services are not the only attractive target for criminals; In 2018, RiskIQ detected approximately 1.3 million unique phishing hosts, or nearly 3,500 a day, and a recent query of the branded terms of 20 Fortune 100 companies in RiskIQ’s domain infringement detection revealed 37,000 probable instances of domain infringement over two weeks or 1,850 incidents per brand.

These can be quite convincing: One phishing page found for instance is a copy of an online IRS form for updating electronic tax information. It harvests name, occupation, employer, Social Security number, address and tax PIN.

“The hostname, ‘e-filing,’ and the domain, ‘services,’ make for a clever combination that could easily trick users into thinking they’re on the official IRS website,” RiskIQ noted.

Consumers and business users alike can protect themselves by carefully vetting all mobile apps, and not clicking through on links in unsolicited tax-related email. Tax prep should also always be done on a private network (not public WiFi) and on a device that’s protected by firewalls and antivirus.

“April 15 is a well-known deadline for a lot of people, often inducing a mad scramble to get their taxes prepared and submitted to the IRS,” Nathan Wenzler, senior director of cybersecurity at Moss Adams, said via email. “But, it’s also a time when cybercriminals take advantage of this time to shift their scamming efforts into overdrive. This year, the risk of financial loss and identity theft from these IRS scams is even higher, as criminals are now leveraging far more detailed, personal data that has come from the dearth of data breaches we’ve seen over the last several years. Armed with this personal information, these scams now sound more realistic, more legitimate and more trustworthy, which makes them far more dangerous than ever before.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.