CyberheistNews Vol 13 #52 [IRS Alert] Three Tips To Protect Against Tax Season Refund Scams

Cyberheist News

CyberheistNews Vol 13 #52  |   December 27th, 2023

[IRS Alert] Three Tips To Protect Against Tax Season Refund ScamsStu Sjouwerman SACP

Urging taxpayers and tax professionals to be vigilant, the U.S. Internal Revenue Service (IRS) provides some simple guidance on how to spot new scams aimed at being able to file fake tax returns.

Apparently, there are actually three certainties in life: death, taxes and scams revolving around taxes. This according to the IRS, as part of their annual Security Summit. As with any major event that has the attention of millions of people simultaneously, tax season is no exception.

We've seen in recent years a consistent surge in tax-related scams in the months before taxes are due in the United States. Here are three simple ways the IRS said you can spot scams:

  1. Given that many scams impersonate the IRS, the recommendation is to first realize that the method of communication should be scrutinized. Most scams start with an email or a text – communication mediums the IRS almost never uses. Official IRS communication is most often handled through the mail.
  2. I'd like to add that it's not out of the realm of possibility for a scam to pretend to be a well-known tax preparation company or online service claiming to get you a refund… "guaranteed". I'm calling it here… if it hasn't already been done, we'll see it next year!
  3. Those responsible for the organization's finances could also be targeted in an attempt to solicit payments. Be sure those individuals remain vigilant as we move into the months leading up to April 15; and if you're serious about doing so, enroll them in new-school security awareness training.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, January 10, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 65,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 10, @ 2:00 PM (ET)

Save My Spot!

Attacks on Critical Infrastructure Are Harbingers of War: Are We Prepared?

I just found a great post by Morgan Wright, chief security advisor of SentinelOne. Here is a quick summary and a link to the full article is at the bottom. The recent attacks on water authorities like Aliquippa and St. Johns River have cast a spotlight on the vulnerability of critical infrastructure.

Such attacks are not just about causing physical damage; they strike at the core of society, threatening our basic needs for water, power, and safety. These incidents should be seen as potential precursors to larger conflicts, highlighting an urgent need for enhanced cybersecurity measures.

Why are these infrastructures targeted? The answer lies in their psychological and strategic importance. Unlike a temporary bank outage, disruptions in essential services like power and water supply immediately impact daily life, invoking a survival instinct among the populace. This was evident during the Colonial Pipeline ransomware attack, which led to widespread panic and hoarding of fuel, despite there being no actual fuel shortage.

This strategy of targeting critical infrastructure is known as Intelligence Preparation of the Battlefield (IPB), a concept originating from the Arab-Israeli War of 1973. It's a method to anticipate and influence enemy actions. Major global powers like Russia, China, and Iran have different motivations for such attacks. While Russia and China focus on IPB for strategic positioning, Iran's attacks, such as the one on Aliquippa, are more ideologically driven.

China's extensive preparation for digital and physical conflict is evident from their activities, including cyber attacks on critical US infrastructure. The US Department of Justice has also indicted Russian nationals for targeting critical infrastructure, highlighting the global scale of this threat.

The use of ransomware in IPB is particularly concerning. The FBI's 2022 report noted a significant number of ransomware attacks on critical infrastructure, often with the tacit approval of adversarial states. These attacks are not just financially motivated but serve broader strategic objectives.

As we approach the eighth anniversary of Russia's BlackEnergy malware attack on Ukraine's power grid, the lessons are clear. Understanding both the enemy and our own vulnerabilities is crucial, as Sun Tzu's "The Art of War" advises.

These attacks are a stark reminder of the new battleground in cybersecurity: protecting the critical infrastructure that underpins our society. The urgency to fortify our defenses against such threats has never been greater. A critical element is preventing social engineering attacks.

Blog post with links:

Learn How to Forensically Examine Phishing Emails to Better Protect Your Organization Today

Cyber crime has become an arms race where the cybercriminals constantly evolve their attacks while you, the vigilant defender, must diligently expand your know-how to prevent intrusions into your network.

Staying a step ahead may even involve becoming your own cyber crime investigator, forensically examining actual phishing emails to determine the who, the where, and the how.

In this on-demand webinar, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, shows you how to become a digital private investigator!

You'll learn:

  • How to forensically examine phishing emails and identify other types of social engineering
  • What forensic tools and techniques you can use right now
  • How to investigate rogue smishing, vishing, and social media phishes
  • How to enable your users to spot suspicious emails sent to your organization

Get inside the mind of the hacker, learn their techniques, and how to spot phishing attempts before it's too late!

Watch Now!

"Mr. Anon" Infostealer Attacks Start with a Fake Hotel Booking Query Email

This new attack is pretty simple to spot on the front, but should it be successful in launching the attached malicious code, it's going to take its victims for everything of value they have on their computer.

The new Mr. Anon infostealer captures much more than just browser caches and passwords. It also uses basic social engineering tactics that prove to be effective enough to make attacks successful.

It begins with a simple hotel booking email seemingly sent to the victim recipient by mistake, using a subject of "December Room Availability Query" and what appears to be a PDF booking attachment.

Once opened, the PDF pretends to need a Flash update, requiring the user to interact and launch the malicious attachment, which is a combination of a dotNET executable, embedded zip files, PowerShell scripts, and a downloaded payload – a python script.

This attack has a few interesting aspects to it. First is the social engineering tactics used. There's the email premise of the room request, but then there's also a step when the python script is run; the attackers purposely post a window with the title of "File Not Supported" with a status message indicating "Not Run: python[dot]exe." to make the victim think the script never ran (helping to maintain a state of stealth).

There's also all the obfuscation done to evade detection. The malicious code is, in essence, the python executable. This file is encoded with cx-freeze, requires being downloaded from code held within a zip file that is, in turn, embedded within the exe attachment – all to avoid detection. The use of PowerShell itself is another step in attempting to avoid detection, given it's a part of the Windows OS.

Lastly, there's the actual infostealer capabilities of this attack. The Mr. Anon infostealer captures more info that most of its predecessors:

  • Browser data
  • Desktop-based digital wallets
  • Password or connection-related browser extensions
  • Messages
  • VPN clients
  • Browser-based digital wallets
  • Data from within 26 different file types

Any data gathered is compressed into a single zip file and then uploaded to a public file-sharing website.

Because users habitually maintain passwords to cloud-based corporate resources within their browsers, it's necessary to protect against this attack by educating users through new-school security awareness training on how to spot this attack and avoid engaging with included attachments or links.

Blog post with links:

Buyer's Guide: Using SOAR in Your Automated Incident Response Plan

End users report emails they think could be malicious, resulting in a lot of alert noise your security teams must analyze. The question: how to effectively manage the volume of traffic and stop email threats that are truly malicious from reaching your employees' mailboxes in the first place?

A Security Orchestration, Automation and Response (SOAR) platform will help, but you need a roadmap to determine requirements, vet SOAR providers and properly plan deployments.

Paul Wagenseil from SC Media walks you through the process, using KnowBe4's PhishER platform as an example.

Get Your Copy Now:

New Remote "Job" Scam Tells Victims They'll Get Paid For Liking YouTube Videos

Researchers at Bitdefender warn that scammers are tricking victims with fake remote job opportunities. In this case, the scammers tell victims that they'll get paid for liking YouTube videos.

Notably, the scammers send the victims a small amount of money (around six dollars) to gain their trust. After this, the victim is invited to a Telegram channel, where the scammer offers to give them much higher-paying tasks if they pay an entry fee of between $21 and $1,083.

Nicolae Postolachi, Manager at Bitdefender's Cyber Threat Intelligence Lab, stated, "This is not the first time the scammers have tried to pitch this type of scam to consumers in search for extra income. What makes this campaign different from previous iterations is that victims actually get paid something, a highly successful tactic that earns their trust, and plays an important role in convincing the users to 'invest' in becoming VIP members that will help them earn even more easy money on simple tasks such as liking videos on YouTube."

Bitdefender offers some tips to help users avoid falling for phony job postings:

  • "Research the job listing and company to ensure that it is legitimate.
  • "Never share your bank details or other personally identifiable information with strangers. Even if the scammers make a small payment to you and then you figure out it's a scam, they now have your contact info, name and other details that can be used in future schemes in an attempt to defraud you.
  • "Never pay upfront to receive a job opportunity: a legitimate business will never ask you to pay your own money to receive a job. Anyone who asks you too is a scammer.
  • "Never trust job offers that sound too good to be true. A high-paying job for very little work or small expenses on your part is a huge red flag.
  • "Report and block the number. Do not engage in further communication with the individual.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Kevin Mitnick received a very nice posthumous Lifetime Achievement Award:

PPS: I made it in the Top 25 Cybersecurity CEOs to Watch in 2024:

Quotes of the Week  
"Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for."
- Socrates - Philosopher (469 - 399 BC)

"Where there is shouting, there is no true knowledge."
- Leonardo da Vinci - Painter, Sculptor, Architect, Musician, Mathematician, Engineer, Inventor, Anatomist, Geologist, Cartographer, Botanist & Writer (1452 - 1519)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Seasonal Spam is a Business Problem, Too

Bitdefender warns that Christmas-themed spam has been steadily increasing since mid-November. Threat actors are exploiting the holidays to run a variety of scams.

"In our analysis of the 2023 Christmas scam agenda, we noticed that threat actors continue to take advantage of consumer trends, including online shopping and weakness towards heavy discounts as well as giveaways and freebies," Bitdefender says.

"With so many seasonal discounts and even legitimate online raffles, it's easy to see how the holidays give threat actors more favorable circumstances to deliver compelling lures to defraud users. Christmas-themed scam surveys are all about stealing your money and personal information.

"They promise you free gifts, money, and mystery presents that will arrive just in time for Christmas day if you just fill them out now."

The researchers add, "Our analysis has also revealed Christmas adaptations of your run-of-the-mill package deliveries, Crypto transactions, dating, and lottery scams. Threat actors also impersonated cryptocurrency exchange platform Binance to trick 'qualified' users into handing out their credentials for a chance to win a share of a $380,000 promotion by collecting 'all five unique Christmas Gift.'"

Bitdefender offers the following advice to help users avoid falling for these scams:

  • "Never share personally identifiable information in unsolicited correspondence you receive, this includes filling out surveys for prizes that require you to pay shipping fees.
  • "Never access links in correspondence that offers too-good-to-be-true deals or Christmas promotions.
  • "Always check the legitimacy of urgent emails and messages regarding undelivered packages or suspicious activity on your online accounts. You can do this by logging in to your account (via a dedicated app/web browser and NOT any embedded links in the email message).
  • "Use websites and platforms you know to conduct last-minute shopping or banking transactions.
  • "Install and use a security solution that detects and blocks phishing and fraudulent websites, and malware."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Bitdefender has the story:

Cybercriminals Impersonate the UAE Government

Resecurity is tracking an SMS phishing (smishing) campaign by the cybercriminal Smishing Triad Gang. The crooks are impersonating the United Arab Emirates Federal Authority for Identity and Citizenship, targeting UAE residents and foreigners visiting the country.

"Resecurity has notified UAE law enforcement agencies (LEA) and cybersecurity agencies about detecting this malicious activity," the researchers write. "This notification was done to reduce the risks associated with the identity theft of millions of citizens and residents.

"During the holiday season, Resecurity noticed increased fraudulent activity, such as smishing, targeting users on mobile devices. This activity indicates the growing efforts by cybercriminals to steal consumers' identities worldwide. Considering this, Resecurity recommends that consumers increase their cybersecurity awareness and implement appropriate identity protection programs as a precautionary measure."

The researchers explain, "'[S]mishing' is a form of phishing (or deceptive contact) involving text message outreach. Smishing victims typically receive a misleading text message to lure recipients into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other organization to lend legitimacy to their claims."

Resecurity notes that the Smishing Triad Gang is using link shorteners to evade detection. "These criminals send malicious links to their victims' mobile devices through SMS or iMessage and use URL-shortening services like Bit[.]ly to randomize the links they send," the researchers write.

"This helps them protect the fake website's domain and hosting location. Resecurity observed that several harmful messages were sent to Apple iOS and Google Android mobile devices. Interestingly, these messages did not include any information about the sender.

"We believe the perpetrators might have used the Caller ID feature or one of the underground SMS spoofing or spam services to carry out this act."

Resecurity has the story:

What KnowBe4 Customers Say

"I was given Zach A.'s name as the KnowBe4 Customer Success Rep for our State. In our industry and others, it seems like "customer service" has become a title and not a deliverable. As our account contact, Zach stands out as an exception. One we are grateful for. We have an account that has support needs for our State government as well as 150 local governments.

We are dependent on KnowBe4, the platform and support, to meet our performance and service objectives. The amazing thing, when you have the time to step away from the grind and appreciate it, is that we never have to worry about it. The platform is terrific. Beyond that, whenever there is a need, regardless of the complexity of the request, we know Zach has it handled.

I wanted you to know we value the service Zach provides and the important role he plays in our success."

S.T., Executive Director ISAC

"I just wanted to reach out and let you know how much I appreciate what KnowBe4 does. I have been using the Security Awareness Training part for a few years now and really like how it works and the content that you put out for it. I just did a short demo of the PhishER product and am once again impressed. Great work at KnowBe4!"

- L.J., IT Manager

And a nice acknowledgement for our fantastic Knowsters: The latest G2 Winter reports came out and not only did we again get Leaders for PhishER and KMSAT, but our overall customer review scores put us in the #4 spot (how serendipitous with our name) of TOP Companies by Score! Customers LOVE us and this is all based on independent reviews. This is a very interesting page:

Also, we've just released an update to the PhishER Plus datasheet so you can find everything related to both versions of PhishER in one PDF. The new datasheet is available at the existing link:

The 10 Interesting News Items This Week
  1. Meet Ashley, the world's first AI-powered political campaign caller. What could possibly go wrong?:

  2. 8 Strategies for Defending Against Help Desk Attacks:

  3. Iran-based women send IDF soldiers explicit photos in attempted honeypots:

  4. FBI: Play ransomware breached 300 victims, including critical orgs:

  5. AI will make 2024 U.S. elections a 'hot mess':

  6. FBI disrupts Blackcat ransomware operation, creates decryption tool. But cat & mouse game has tail:

  7. NYT Horror Story: "7 months inside an online scam labor camp.":

  8. Hacktivists boast: We shut down Iran's gas pumps today:

  9. API Security: The Big Picture:

  10. USD 300 million seized and 3,500 suspects arrested in international financial crime operation:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews