One of the oldest tricks for criminals that utilize social engineering is impersonating government officials. Acting as representatives of agencies like Social Security, the FBI, the IRS, and others, countless people fall victim to this classic phishing tactic. This remains true today as a new report from the security research team at Akamai indicates. In a blog post, Or Katz details a recent IRS scam that raised suspicion among researchers primarily because it was an “out of season” attack. Typically, when IRS impersonators go after victims, they pursue them prior to the tax season deadline. Instead, however, this particular social engineering campaign was discovered to hit peak activity in August.
As the report states, the social engineering phishing campaign targets the usual information sought out in these crimes (banking data, passwords, credit card information, and Social Security numbers). The attacks are carried out against websites that have been compromised and made to look like legitimate IRS landing pages. Akamai explains this in more detail:
According to Akamai’s research, this campaign used at least 289 different domains and 832 URLs over 47 days. The same fake IRS login page was used in each instance. Moreover, according to Akamai’s visibility into global network traffic, the campaign targeted over 100,000 victims worldwide… A closer look into the content of each domain… reveals that they had identical visual cues. This means the basic look of the IRS website is the same, but it’s clear the threat actors are customizing parts of each page. This evasion technique is used with the hope that the landing page itself will remain undetected by security vendors using signature detection to spot phishing attempts… Some of the content changes looks as if was randomly generated, meaning an automatic process was involved in the content generation.
This IRS scam is a cut above simple social engineering as the criminals behind the phishing campaign clearly have extensive programming knowledge and understand security countermeasures. Though the researchers at Akamai have learned a great deal about the attackers’ methodology, they still have yet to uncover the identities of the perpetrators. Considering that the campaign appears to still be active, there is always the possibility of new information being discovered.
Featured image: Flickr / CafeCredit.com