'Tis the season for tax scammers -- and now, 'long-lining' phishers

The approach of the April 15 filing deadline for filing federal income taxes has tax scammers popping up in larger numbers online even as a new phishing trend called long-lining is starting to pick up steam.

The Internal Revenue Service has already put scammers on notice: "As tax season begins this year, we want to be clear that there is a heavy price to pay for perpetrators of refund fraud and identity theft," Internal Revenue Service Acting Commissioner Steven T. Miller said in a statement. "We have aggressively stepped up our efforts to pursue and prevent refund fraud and identity theft, and we will continue to intensely focus on this area."

[See also: South Carolina faults weak IRS standard in massive data breach]

Those efforts are part of a year-round campaign by the IRS to attack tax fraud. For example, the number of identity theft probes by the agency tripled to 898 in 2012, from 276 in 2011.

Sentencings of identity thieves during the period also jumped -- to 223 in 2012, from 80 in 2011 -- as did jail time for persons convicted of ID theft. Those convicted were sentenced to serve an average of 48 months in prison last year, four months more than in 2011.

Online scams this year are similar to those in the past, according Cameron Camp, a senior researcher with Eset, of San Diego, Calif. "There isn't much variation on existing scams," he said. Fake tax preparation, bogus problems with tax returns and identity theft with intent to file a fake return are some of the common scams.

There's no relief after the tax deadline passes, either, he said. "After the April 15 deadline, you'll start seeing a raft of emails saying there's a problem with your return; you need to send us $500 to fix it,."

While tax scammers are recycling old material, they appear to be changing their proclivities, according to Don Jackson, a senior security researcher with Dell F-Secure in Atlanta, Ga. "The big difference this year is we're not seeing as many exploits," he said. "They're not using vulnerabilities in browser software as much as they have in the past. What we're seeing is more social engineering attacks."

He explained that messages will contain links to online forms where scammers hope to harvest information from a target or to a PDF version of a form that contains an information-stealing Trojan.

Tax scams, though, aren't the only ones phisher have latched onto; a new technique called "long-lining" is growing in popularity, too.

Long-lining combines the credibility of a spear phishing attack with volumes of a generic spam campaign. Unlike conventional mass phishing exploits, the 'hooks,' or email messages, used in long-lining are highly variable rather than identical, making them largely undetectable to traditional signature and reputation-based security gateways.

The messages are typically varied by IP address of origination, subject line and body content.

The body content also includes multiple mutations of an embedded destination URL, which typically leads to a site with a positive reputation that's been successfully compromised prior to the attack. The compromised Web destinations are loaded with hidden malware either before, during or sometimes after the attack wave has begun.

"Each 'hook' looks individual to each phish; they don't see the large campaign," Kevin Epstein, product vice president for Proofpoint in Sunnyvale, Calif. said. Because the emails look so credible, people are clicking on the links in them at an astounding rate -- on average 10%.

"That's staggering," he said. "Any legitimate marketer would be thrilled to have a 10% click-through rate on a marketing campaign."

Security experts continue to urge people online to be highly skeptical of links that appear to be from trusted sources, co-workers and even friends and family members.

Read more about identity theft prevention in CSOonline's Identity Theft Prevention section.

Join the CSO newsletter!

Error: Please check your email address.

Tags IRSlong-liningsecurityAccess control and authenticationIdentity & Access | Identity Theft PreventionphishingInternal Revenue ServiceIdentity & Access

More about DellEsetF-SecureInternal Revenue ServiceIRSIRSProofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place