Tax return fraudsters usually go on strike early in the year when they can turn victims' personal information into fraudulent tax refund claims. However, members of the Akamai Threat Research team have discovered the recent increase in "off season" phishing attacks impersonating the Tax Office, attacking over 100,000 people. The attackers used at least 289 different domains hosting fake IRS sites – most of them were legitimate sites that were taken over. This wave of attacks came when the October 15 deadline was approaching for those who applied for renewal.
According to the Or Katz Akamai post, phishing campaigns began in the second half of August, with most victims being attacked between August 22 and September 5. However, the campaigns began in early October. Each of the fake websites used visually identical HTML pages but used randomly generated style tags and other content in an attempt to dump signature detection by security software.
Most domains were active for less than 20 days. However, a significant number of them remained active after a month – unnoticed by site owners. "The lack of maintenance for older sites, as well as the challenges of patching and deleting injected content, explain how long phishing sites can remain active," wrote Katz.
This is in line with phishing infrastructure research conducted by Ars as well as other research conducted by Akamai. Due to their age – and lack of attention from their owners, who often pay someone to set them up and then forget to maintain them – older sites based on "older" versions of WordPress and other content management systems are a prime target for phishing operators, because they have a higher reputation score than newly minted domains. Depending on the degree of security breach, sites may even create subdomains and register their own certificates for a phishing site.
With these types of scams spreading throughout the year, it's a good idea to remind your friends and family that the IRS will not send you an email or call you about any outstanding taxes or other matters – these notifications will only be sent by paper, usually by registered mail. So don't click.