Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Profile

Archives for February 2016

IRS reports 400% increase in phishing & malware in the past 12 months

by

By Lisa Vaas - Naked Security

It’s tax season in the US. That means it’s also fraud season.

The US tax-filing season has only been under way for a month, but already the Internal Revenue Service is warning that it’s seen a 400% surge in phishing and malware compared with the previous tax year.

US taxpayers have been able to submit returns for the 2015 tax year as early as 19 January. The deadline to file taxes is April 15.

That’s nearly two months away.

Accordingly, many of us are studiously averting our gazes from teetering piles of paperwork heaped on our dining room tables.

But fraudsters aren’t procrastinating. As the IRS has found, they’re getting a head start in their attempts to tackle our financial data.

The IRS warned on Thursday that it’s already seen a “dramatic” increase in official-looking text and email messages stuffed into inboxes.

The phishing messages are asking taxpayers about a wide range of sensitive information, including data related to refunds, filing status, confirmation of personal information, transcript orders and PIN verifications.

The messages are rigged to look official, as if they came from the IRS itself or from others in the tax industry, such as tax software companies.

The phishing attempts are being seen in every part of the country, the IRS says.

Fraudsters are in particular looking for information they can use to file bogus tax returns.

Clicking on their links whisks people off to sites rigged to look like official websites. Those sites ask for US taxpayer numbers, known as Social Security Numbers (SSNs), along with other personal data.

Besides phishing for such information, some of the sites are also boobytrapped with malware.

For example, some of the sites download keyloggers that record everything a victim types, including login details, and report it all back to a scammer.

Some specific numbers relating to what the IRS is seeing for phishing and malware incidents combined:

  • There were 1,026 incidents reported in January, up from 254 from a year earlier.
  • The trend continued in February, nearly doubling the reported number of incidents compared to a year ago.
  • In all, 363 incidents were reported from 1-16 February, compared to the 201 incidents reported for the entire month of February 2015.
  • This year’s 1,389 incidents have already topped the 2014 yearly total of 1,361, and they’re halfway to matching the 2015 total of 2,748.

The IRS says that software companies, tax pros and state revenue departments have seen variations in the schemes, including phishing scams going after their online credentials to IRS services such as the IRS Tax Professional PTIN System.

We’ve also seen multiple versions of refund fraud in recent years, including automated attacks from crooks who’ve gone out of their way to get access to innocent users’ online tax submission accounts.

In May 2015, crooks used an online IRS system called Get Transcript to probe for taxpayers’ personal information that they could then use in refund fraud.

That system didn’t actually have anything to do with the system used to file taxes or get refunds. Rather, it was a reference portal used for retrieving returns from past years.

But that’s just what crooks needed to file fraudulent returns for this year.

They struck again with that type of attack a few weeks ago, with a PIN-stealing attack on the IRS that affected 100,000 taxpayers.

This time, the crooks used a list of known SSNs to try to get access to the IRS’s Get My Electronic Filing PIN portal.

How to spot tax phishers

If you get an unsolicited message that’s purportedly from the IRS or an associated organization, be suspicious.

The IRS generally doesn’t initiate contact with taxpayers by email, text or social media to request personal or financial information, the agency stressed.

These official-looking electronic communications often ask taxpayers to update important information by clicking on a link. Those links may be masked to appear like they’re linked to official pages, but they’re just heading for trouble. Don’t click on them.

These are some of the subject lines and requests the IRS is seeing in these scams:

  • Confirm your personal information.
  • Get my IP PIN.
  • Get my E-file PIN.
  • Order a transcript.
  • Complete your tax return information.
  • Variations about people’s tax refunds.
  • Update your filing details, which can include references to W-2.

You can report these scams by sending the messages to [email protected]

Snare Server version 7.1 Coming Soon

by

Version 7.1 is to be released in February 2016, with the following new features:

  • The Snare Server collection and reflection service has been significantly updated. The Snare Server can now perform format conversion, apply filters to events on a per-destination basis, and can also search/replace event contents on the fly. The core of the collection services and the reflector has been rewritten in C++ for speed. Sample use-cases include:
    • Sending events that are marked only with a particular criticality to a specific destination.
    • Sending Windows events to a destination SIEM server, and unix events to a syslog server.
    • Changing syslog RFC 5424 events to RFC 3164 format, to accommodate a SIEM server that can only handle the older format.
    • Switching events from using a TAB delimiter, to comma.
    • Redirecting all events that include a particular username, to a separate SIEM server for analysis.
    • Forwarding any firewall logs that include a particular IP address range, to another system for deep analysis.
  • Update and Removal of “Trusted CA root Certificates” is available from the Configuration Wizard.
  • Snare Server now supports LDAP/SSL, LDAP/TLS and SASL/TLS authentication.
  • A SNMP trap server can be configured in the Snare Server wizard. A new feature has been added to the Real Time Alerts function in the objectives that so a SNMP Trap will be sent to the server as defined in the wizard when there is a match for the Real Time objective.
  • A new “Auto-Remove Data” objective under “System -> Data Backup” is now available. This objective allows the Administrator to create tasks with a range of selection criteria, that are designed to automatically remove data from the Snare Server archive. Selection criteria include: By agent, by date, and by log type. Regular expressions, and date-delta options are available. Each Auto-Remove task has a specific schedule that determines when it executes.
  • TLS Server certificates associated with the TLS collection service should now use the fully qualified hostname of the server on which they are installed. A freshly installed system will use the fully qualified certificate format.
  • Six new Oracle Objectives have been added to the Snare Server, including:
    • Start-up and Shut-down of the Oracle application
    • Database Global Activity
    • Admin DBA Activity
    • Oracle Security
    • Oracle Startup / Shutdown
    • Password Changes
    • User Activity
  • Seven New Microsoft DNS server logs Objectives with Malware domain detection have been added in the Application Audit/Windows Log Data menu tree:
    • DNS Log
    • DNS over TCP empty
    • DNS over UDP
    • DNS search IP
    • DNS Server Failures
    • Malware Domains
    • Non Existent Domains