Since January, at least 55 companies have announced that they had fallen victim to a highly tailored spear phishing scheme. This scheme is responsible for stealing and compromising the W-2 U.S. tax records of every employee working for these companies during 2015.
In previous years, we saw similar trends in SMS fraud targeting consumers with phishing attacks aimed at tax returns. Flooding U.S. consumers’ cellphones in several major cities, the phishing attempts targeted a very specific type of prepaid debit card, which is often used by the government to issue tax refunds. These attacks leveraged individuals’ trust in and fear of text messages that appear to be fraud alerts from the victim’s bank.
However, this new spear phishing campaign instead targets entire companies and organizations by exploiting a similar trust in internal email and communication from an employee’s boss/CEO. Over the past several weeks, we’ve seen the rise of these spear phishing attempts come across appearing to be from the CEO urgently asking a subordinate for W-2 records via subject lines such as: “Request for all employees’ W2.”
Click to View the Infographic: How They Do It: Inside W-2 Spear Phishing Attacks
Anatomy of a W-2 Spear Phishing Attack
At a broad level, a bad guy impersonates the company’s CEO or CFO requesting all of the employee tax information for 2015 in a spoofed (forged) email to a member of the finance or HR team. Given that this is tax season in the U.S., such a request from the supposed CEO/CFO is not outlandish.
The first step begins with a bit of research about a company. Scraping popular forms of public data, such as LinkedIn and Twitter, often yields the names and titles of many employees in a company. Then, a quick search for the company’s website will often provide the name of the domain used in their email. With these items in hand, attackers now have their target’s email address as well as the email of a higher ranking member of the company — often a CEO or CFO.
When constructing an email, it is possible to spoof, or fake, certain fields in the email. This phishing scam relies on forging the “FROM:” field to display the CEO’s email, for example: firstname.lastname@example.org. In reality, this email is from somewhere entirely different and has the “REPLY-TO” field (that is typically hidden from the end user) set to an email address controlled by the attacker, for example: email@example.com.
The combination of these steps delivers to a member of the finance or HR team an email that appears to be from the CEO asking for all of “our” W-2 employee tax records for 2015. Should the target take the bait, any reply to this request is rerouted to the REPLY-TO address, firstname.lastname@example.org, forged in the email’s headers rather than the CEO’s address. The attacker then receives the reply from the victim containing all of the companies W-2 records.
Cashing in On Stolen W-2s
What will the perpetrators do with all this tax information from the W-2s? These documents have a wide range of sensitive information that can be used for various forms of identity fraud. Criminals harvesting W-2 information by spear phishing will probably not exploit them directly. These compromised data sets will probably be sold off on underground, Silk Road-like forums to a number of different small operators who will file fraudulent tax returns in the name of the victims.
Since the W-2, by its nature, has all the information a bad guy needs to file a tax return, the attacker attempts to file a tax return in the employee’s name before the employee does. Doing this allows the attacker to steal the victims’ tax refund by routing the refund to their money mules. Due to the need for money mules and manual tax filing (since mass automated filing would be detected by the IRS,) this form of fraud has developed into a cottage industry type of ecosystem on underground forums with many individual contributors involved. Rapper J-Creek has a song on YouTube [warning: contains offensive language] about the need for a money mule (or “drop hoe”) to collect fraudulent tax refunds. There are even reports of classes on how to file fraudulent tax returns being held in church basements.
In an interview with Brian Krebs, Alabama Department of Revenue commission Julie Magee stated that bad guys are even registering with the IRS to be “electronic return originators.” This title grants them the ability to electronically prepare and submit tax returns to the IRS. As an ERO, they can then purchase tax preparation software and services to help automate filing fraudulent claims in bulk.
The problem swelled enough in February that the IRS sent out yet another alert about the increase in fraud this tax season, stating that the agency had seen a “…400 percent surge in phishing and malware incidents so far…” Several weeks later, the IRS issued a public warning on its site about the attacks gave insight into the types of messages that attackers used as hooks:
Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Several weeks later, the IRS sent out yet another alert about the increase in fraud this tax season, stating that the agency had seen a “…400 percent surge in phishing and malware incidents so far…”
The victimized companies range from technology companies such as a storage manufacturer, Seagate, to a concrete supply company. CSO’s Steve Ragan investigated and compiled an impressive timeline of at least 41 separate companies that have been victimized by this scam. These, plus others revealed by entities such as KrebsonSecurity, bring the total up to 55. It’s likely that even more have been compromised, but have not come forward.
A list of those known companies:
- Actifio Inc.
- Advance Auto Parts
- AmeriPride Services Inc.f
- Applied Systems Inc.
- Billy Casper Golf
- Central Concrete Supply Co. Inc.
- Century Fence
- ConvaTec Inc.
- DataXu Inc.
- Dynamic Aviation
- Endologix Inc.
- Evening Post Industries
- EWTN Global Catholic Network
- Foss Manufacturing Company
- General Communications Inc.
- Information Innovators Inc.
- ISCO Industries
- Kantar Group
- Kids Dental Kare in Los Angeles
- Lamps Plus and Pacific Coast Lighting
- Lanyon Solutions Inc.
- LAZ Parking
- Magnolia Health Corporation
- Main Line Health
- Mansueto Ventures
- Matrix Service Company
- Mercy Housing
- Mitchell International Inc.
- Nation’s Lending Corporation
- Netcracker Technology Corporation
- PerkinElmer, Inc.
- Pharm-Olam International
- Pivotal Software, Inc.
- QTI Group
- Robert Rauschenberg Foundation
- Ryman Hospitality Properties
- Seagate Technology
- Sprouts Farmers Market
- Turner Construction Company
- Tidewater Community College
- York Hospital
If you are an employee of one of these companies, or just generally worried about tax and identity fraud, we’ve also posted a series of steps to prevent tax fraud and identity theft.
For enterprises, the damages also add up. While companies provide identity theft protection to their employees, employee trust and productivity are disrupted. Boards are dismayed, and the employee who fell for the scam may be fired. Internal procedures are often addressed and controls put in place to prevent future attacks.
In some cases, stocks take a tumble. This was the case at Seagate Technology; on the day the news of the W-2 attack hit the media, the company’s stock price decreased 3.5 percent. Though the stock price later recovered, the company suffered damage to its brand and reputation.
All of these impacts resonate with patterns of damage observed in Cloudmark’s survey on the impacts of spear phishing attacks. You can read more about those impacts here.
Update – April 1-May 9, 2016: At least 13 more organizations have been victimized by this attack, bringing our total to 68. Those organizations are:
- Ash Brokerage
- Bowdoin College
- Brunswick Corp.
- Equifax (and its client, Kroger)
- Hutchinson Community College
- Kentucky State University
- Pomeroy Investment Company
- Proskauer Rose
- Rockhurst University
- Ryman Hospitality
- Stanford University via W-2Express
- U. S. Bank (ADP)