'Tis the season for tax scammers -- and now, 'long-lining' phishers

The approach of the April 15 filing deadline for filing federal income taxes has tax scammers popping up in larger numbers online even as a new phishing trend called long-lining is starting to pick up steam.

The Internal Revenue Service has already put scammers on notice: "As tax season begins this year, we want to be clear that there is a heavy price to pay for perpetrators of refund fraud and identity theft," Internal Revenue Service Acting Commissioner Steven T. Miller said in a statement. "We have aggressively stepped up our efforts to pursue and prevent refund fraud and identity theft, and we will continue to intensely focus on this area."

[See also: South Carolina faults weak IRS standard in massive data breach]

Those efforts are part of a year-round campaign by the IRS to attack tax fraud. For example, the number of identity theft probes by the agency tripled to 898 in 2012, from 276 in 2011.

Sentencings of identity thieves during the period also jumped -- to 223 in 2012, from 80 in 2011 -- as did jail time for persons convicted of ID theft. Those convicted were sentenced to serve an average of 48 months in prison last year, four months more than in 2011.

Online scams this year are similar to those in the past, according Cameron Camp, a senior researcher with Eset, of San Diego, Calif. "There isn't much variation on existing scams," he said. Fake tax preparation, bogus problems with tax returns and identity theft with intent to file a fake return are some of the common scams.

There's no relief after the tax deadline passes, either, he said. "After the April 15 deadline, you'll start seeing a raft of emails saying there's a problem with your return; you need to send us $500 to fix it,."

While tax scammers are recycling old material, they appear to be changing their proclivities, according to Don Jackson, a senior security researcher with Dell F-Secure in Atlanta, Ga. "The big difference this year is we're not seeing as many exploits," he said. "They're not using vulnerabilities in browser software as much as they have in the past. What we're seeing is more social engineering attacks."

He explained that messages will contain links to online forms where scammers hope to harvest information from a target or to a PDF version of a form that contains an information-stealing Trojan.

Tax scams, though, aren't the only ones phisher have latched onto; a new technique called "long-lining" is growing in popularity, too.

Long-lining combines the credibility of a spear phishing attack with volumes of a generic spam campaign. Unlike conventional mass phishing exploits, the 'hooks,' or email messages, used in long-lining are highly variable rather than identical, making them largely undetectable to traditional signature and reputation-based security gateways.

The messages are typically varied by IP address of origination, subject line and body content.

The body content also includes multiple mutations of an embedded destination URL, which typically leads to a site with a positive reputation that's been successfully compromised prior to the attack. The compromised Web destinations are loaded with hidden malware either before, during or sometimes after the attack wave has begun.

"Each 'hook' looks individual to each phish; they don't see the large campaign," Kevin Epstein, product vice president for Proofpoint in Sunnyvale, Calif. said. Because the emails look so credible, people are clicking on the links in them at an astounding rate -- on average 10%.

"That's staggering," he said. "Any legitimate marketer would be thrilled to have a 10% click-through rate on a marketing campaign."

Security experts continue to urge people online to be highly skeptical of links that appear to be from trusted sources, co-workers and even friends and family members.

Read more about identity theft prevention in CSOonline's Identity Theft Prevention section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags phishingAccess control and authenticationIRSIdentity & AccessIdentity & Access | Identity Theft PreventionInternal Revenue Servicelong-lining

More about DellEsetF-SecureInternal Revenue ServiceIRSIRSProofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

More videos

Blog Posts