IRS Domain Spoofed in Fraud CampaignResearchers Say Scammers Use Social Engineering Strategies
A recently uncovered phishing campaign is using a spoofed U.S. Internal Revenue Service domain and social engineering techniques in an attempt to trick targeted victims into sending money to fraudsters, according to researchers at Abnormal Security.
These phishing emails have targeted 50,000 to 70,000 Microsoft Office 365 accounts since late October, the security firm reports.
The phishing campaign, which does not include malware or malicious links, relies heavily on social engineering techniques, such as accusing recipients of owing a tax debt and threatening further legal action unless a payment is made, the security researchers say.
"This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to more easily bypass email security solutions that focus mostly on obvious threat vectors such as links or attachments," the researchers say (see: Phony IRS Emails Promise Refund, But Deliver Botnet Instead).
In addition to spoofing the official IRS.gov domain, the fraudsters disguise their actual email address to hide their origin, according to the report.
"Although the email appears to originate from the domain 'irs.gov,' analysis of the email headers reveals that the true sender domain is 'shoesbagsall.com,' according to the Abnormal Security report. "Additionally, the 'Reply-To' email is 'firstname.lastname@example.org,' which is not associated with the IRS and instead leads directly back to the attacker."
The phishing emails include unique account and loan numbers as well as docket and warrant identification numbers to help make them appear legitimate, according to the report. The fraudsters appear to always ask for a payment of $1,450.61.
In the example provided by Abnormal Security, the phishing email instructs the victim to reply to receive instructions for payment.
"This email appears to be a credible impersonation of the IRS," the report notes. "Both the spoofed 'irs.gov' sender domain and the specific IDs assigned to the recipient give the email a false sense of legitimacy. Additionally, the email creates a sense of authority through its tone and professional language."
Tom Pendergast, chief learning officer at cybersecurity training firm MediaPRO, notes that this type of domain spoofing, paired with well-written phishing emails, is now standard practice for many fraudsters.
"The urgency and threat of penalty are classic hallmarks and should raise suspicion," Pendergast tells Information Security Media Group. "True, there are no links to click and no obviously absurd misspellings and threats, and the account numbers give the illusion of specificity."
Since the COVID-19 pandemic began, fraudsters have been adjusting their phishing campaigns to take advantage of current events, including spoofing government agencies' domains, in an attempt to harvest personal credentials and data.
For example, Proofpoint found fraudsters are now using spoofed website templates with COVID-19 themes as part of phishing attacks designed to steal login credentials and banking data. These malicious templates included a spoofed IRS website (see: Spoofed Website Templates Help Spread COVID-19 Scams: Report).