Many U.S. citizens are bound to experience delays in getting their tax returns processed this year, thanks largely to more stringent controls enacted by Uncle Sam and the states to block fraudulent tax refund requests filed by identity thieves. A steady drip of corporate data breaches involving phished employee W-2 information is adding to the backlog, as is an apparent mass adoption by ID thieves of professional tax services for processing large numbers of phony refund requests.

According to data released this week by anti-fraud company iovation, the Internal Revenue Service is taking up to three times longer to review 2015 tax returns compared to past years.

Julie Magee, commissioner of Alabama’s Department of Revenue,  said much of the delay this year at the state level is likely due to new “fraud filters” the states have put in place with Gentax, a return processing and auditing system used by about half of U.S. state revenue departments. If the states can’t outright deny a suspicious refund request, they’ll very often deny the requested electronic bank deposit and issue a paper check to the taxpayer’s known address instead.

“Many states decided they weren’t going to start paying refunds until March 1, and on our side we’ve been using all our internal fraud resources and tools to analyze the tax return before we even put it in the queue,” Magee said. “That’s delaying refunds nationwide for the IRS and the states, and it’s pretty much going to also mean a helluva lot of paper checks are going out this year.”

The added fraud filters that states are employing take advantage of data elements shared for the first time this tax season by the major online tax preparation firms such as TurboTax. The filters look for patterns known to be associated with phony refund requests, such how quickly the return was filed, or whether the same Internet address was seen completing multiple returns.

Magee said some of the states have been adding new fraud filters nearly every time they learn of another big breach involving large numbers of stolen or phished employee W2 data, a huge problem this tax season that is forcing dozens of companies large and small to disclose data breaches over the past few weeks.

“Every time we turn around getting a phone call about another breach,” Magee said. “Because of all the different breaches, the states and the IRS have been taking extreme measures to filter, filter, filter. And each time we’d get news of an additional breach, we’d start over, reprogram our fraud filters, and re-assess those returns that were not processed fully yet and those waiting to be processed.”

Magee said the Gentax software assigns each tax return a score for “wage confidence” and “identity confidence,” and that usually fraudulent tax refund requests have high wage confidence but low — if any — identity confidence. That’s because the fraudsters are filing refund requests on taxpayers for whom they already have stolen W2 information. The identity confidence in these cases is low often because the fraudsters are asking to have the money electronically deposited into an account that can’t be directly tied to the taxpayer, or they have incorrectly supplied some of the victim’s data.

“I have zero confidence that filings which match this pattern are legitimate,” Magee said. “It’s early still, but our new filtering system seems to be working. But it’s still a big unknown about the percentage of fraudulent refunds we’re not stopping.”

MORE W2 PHISHING VICTIMS

Most states didn’t start processing returns until after March 1, which is exactly when a flood of data breaches related to phished employee W2 data began washing up. As KrebsOnSecurity first warned in mid-February, thieves have been sending targeted phishing emails to human resources and finance employees at countless organizations, spoofing a message from the CEO requesting all employee W2’s in PDF format.

In Magee’s own state, W2 phishers hauled in tax data on an estimated 180 employees of ISCO Industries in Huntsville, and some 425 employees at the EWTN Global Catholic Network in Irondale, Ala. But those are just the ones that have been made public. Magee’s office only learned of those breaches after employees at the affected organizations reached out to journalists who then wrote about the compromises.

Over the past week, KrebsOnSecurity similarly has heard from employees at a broad range of organizations that appear to have fallen victim to W2 phishing scams, including some 28,000 employees of the market research giant Kantar Group; 17,000+ employees of Sprouts Farmer’s Market; call center software provider Aspect; computer backup software maker Acronis; Kids Dental Kare in Los Angeles; Century Fence, a fencing company in Wisconsin; Nation’s Lending Corporation, a mortgage lending firm in Independent, Ohio; QTI Group, a Wisconsin-based human resources consulting company; and the jousting-and-feasting entertainment company Medieval Times.

TAX FRAUDSTERS GOING PRO?

Magee said Alabama and other states are dealing with a huge spike this year in fraudulent refund requests filed via criminals who use online software firms that specialize in selling e-filing services to tax professionals.

According to Magee, crooks first register with the IRS as “electronic return originators.” EROs are typically accountants or tax preparation firms authorized by the IRS to prepare and transmit tax returns for people and companies electronically.  Magee said thieves have been registering as EROs and then buying tax preparation software and services from firms like PETZ Enterprises to push through large numbers of phony refund requets.

“The biggest move [in refund fraud] this year is in the so-called ‘professional services applications,’ which are being flagged in high rates this year for fraud,” Magee said. “And that’s not just Alabama. A great number of other states are seeing the same thing. We have always had fraud in that area, but we’re seeing significantly higher rates of fraud there now.”

Magee said tax software prep firms should be required to conduct more due diligence on their clients.

“In the state of Alabama, you need a license to cut someone’s hair, to be a barber or a cosmetologist, but anyone can become a tax preparation professional with no certification at all,” Magee said. “The software firms are where all the fraud is going now. The criminal becomes an ERO, and then he can just sit there all day and file an unlimited number of fraudulent returns.”

PETZ did not respond to requests for comment. But Stephen Ryan, a lobbyist for the industry group American Coalition for Taxpayer Rights, said states are free to regulate tax providers as they see fit.

“If there are facts that demonstrate there is a problem such as is being alleged about unscrupulous local preparers using professional software they license, the state certainly has the sovereign authority to prosecute or regulate this,” Ryan said. “If a specific source of fraud or crimes is being locally committed, that’s a pretty easy enforcement target to focus upon. And in the unlikely case a state doesn’t have that authority, they can seek it from their legislature.”

Look for additional stories in the coming days as part of a series on tax refund fraud in 2016. Next week, I’ll take a closer look at how thieves are exploiting know-your-customer weaknesses in the prepaid card industry to launder the proceeds from refund fraud and other schemes.

Spammers are abusing ill-configured U.S. dot-gov domains and link shorteners to promote spammy sites that are hidden behind short links ending in”usa.gov”.

Spam purveyors are taking advantage of so-called “open redirects” on several U.S. state Web sites to hide the true destination to which users will be taken if they click the link.  Open redirects are potentially dangerous because they let spammers abuse the reputation of the site hosting the redirect to get users to visit malicious or spammy sites without realizing it.

For example, South Dakota has an open redirect:

http://dss.sd.gov/scripts/programredirect.asp?url=

…which spammers are abusing to insert the name of their site at the end of the script. Here’ a link that uses this redirect to route you through dss.sd.gov and then on to krebsonsecurity.com. But this same redirect could just as easily be altered to divert anyone clicking the link to a booby-trapped Web site that tries to foist malware.

The federal government’s stamp of approval comes into the picture when spammers take those open redirect links and use bit.ly to shorten them. Bit.ly’s service automatically shortens any US dot-gov or dot-mil (military) site with a “1.usa.gov” shortlink. That allows me to convert the redirect link to krebsonsecurity.com from the ungainly….

http://dss.sd.gov/scripts/programredirect.asp?url=http://krebsonsecurity.com

…into the far less ugly and perhaps even official-looking:

http://1.usa.gov/1pwtneQ.

Helpfully, Uncle Sam makes available a list of all the 1.usa.gov links being clicked at this page. Keep an eye on that and you’re bound to see spammy links going by, as in this screen shot. One of the more recent examples I saw was this link — http:// 1.usa[dot]gov/1P8HfQJ# (please don’t visit this unless you know what you’re doing) — which was advertised via Skype instant message spam, and takes clickers to a fake TMZ story allegedly about “Gwen Stefani Sharing Blake Shelton’s Secret to Rapid Weight Loss.”

Unfortunately, a minute or so of research online shows that exact issue was highlighted almost four years ago by researchers at Symantec. In October 2012, Symantec said it found that about 15 percent of all 1.usa.gov URLS were used to promote spammy messages. I’d be curious to know the current ratio, but I doubt it has changed much.

A story at the time about the Symantec research in Sophos‘s Naked Security blog noted that the curator of usa.gov — the U.S. General Services Administration’s Office of Citizen Services and Innovative Technology — was working with bit.ly to filter out malicious or spammy links — pointing to a interstitial warning that bit.ly pops up when it detects a suspicious link is being shortened.

KrebsOnSecurity requested comment from both bit.ly and the GSA, and will update this post in the event that they respond.

I wanted to get a sense of how well bit.ly’s system would block any .gov redirects that sent users to known malicious Web sites. So I created .gov shortlinks using the South Dakota redirect, bit.ly, and the first page of URLs listed at malwaredomainlist.com — a site that tracks malicious links being used in active attacks.

The result? Bit.ly’s system allowed clicks on all of the shortened malicious links that didn’t end in “.exe,” which was most of them. It’s nice that bit.ly at least tries to filter out malicious links, but perhaps the better solution is for U.S. state and federal government sites to get rid of open redirects altogether.

I generally don’t trust shortened links, and have long relied on the Unshorten.it extension for Google Chrome, which lets users unshorten any link by right clicking on it and selecting “unshorten this link”. Unshorten.it also pulls reputation data on each URL from Web of Trust (WOT).

Fun fact: Adding a “+” to the end of any link shortened with bit.ly will take you to a page on bit.ly that displays the link actual link that was shortened.

How do you respond to shortened links? Sound off in the comments below.

Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists.

Seattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”

“Moneytree was apparently targeted by a scam in which the scammer impersonated me and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.

The message continued:

“Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”

A woman who answered a Moneytree phone number listed in the email confirmed the veracity of the co-founder’s message to employees, but would not say how many employees were notified. According to the company’s profile on Yellowpages.com, Moneytree Inc. maintains a staff of more than 1,200 employees. The company offers check cashing, payday loan, money order, wire transfer, mortgage, lending, prepaid gift cards, and copying and fax services.

Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February.  Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees.

I’m working on a separate piece that examines the breadth of damage done this year by W2 phishing schemes. Just based on the number of emails I’ve been forwarded from readers who say they were similarly notified by current or former employers, I’d estimate there are hundreds — if not thousands — of companies that fell for these phishing scams and exposed their employees to all manner of identity theft.

W2 information is highly prized by fraudsters involved in tax refund fraud, a multi-billion dollar problem in which thieves claim a large refund in the victim’s name, and ask for the funds to be electronically deposited into an account the crooks control.

Tax refund fraud victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS. To learn more about tax refund scams and how best to avoid becoming the next victim, check out this story.

For better or worse, most companies that have notified employees about a W2 phish this year are offering employees the predictable free credit monitoring, which is of course useless to prevent tax fraud and many other types of identity theft. But in a refreshing departure from that tired playbook, Moneytree says it will be giving employees an extra $50 in their next paycheck to cover the initial cost of placing a credit freeze (for more information on the different between credit monitoring and a freeze and why a freeze might be a better idea, check out Credit Monitoring vs. Freeze and How I Learned to Stop Worrying and Embrace the Security Freeze).

“When something like this happens, the right thing to do is to disclose what you know as soon as possible, take care of the people affected, and learn from what went wrong,” Bassford’s email concluded. “To make good on that last point, we will be ramping up our information security efforts company-wide, because we never want to have to write an email like this to you again.”

It’s remarkable how quickly a stolen purse or wallet can morph into full-blown identity theft, and possibly even result in the victim’s wrongful arrest. All of the above was visited recently on a fellow infosec professional whose admitted lapse in physical security led to a mistaken early morning arrest in front of his kids.

On the morning of Feb. 20, Lance Miller was arrested in front of his two children by local sheriffs in Golden, Colo. Miller, a managing partner at cybersecurity recruitment firm Curity, had discovered his wallet was missing three days prior to his arrest, reported it to the local police and canceled his credit cards. In the meantime someone had drained his checking account of approximately $5,000, and maxed out his credit cards for almost another $5,000.

“I was standing there in front of my kids saying, ‘You guys are crazy. Do I look like a burglar?'” Miller recalled. “The cop goes, ‘Well, I don’t know what a burglar looks like,’ and they put me in cuffs and in the car.”

Miller said it wasn’t until the 30-minute, handcuffed drive to police station that the local police and the local sheriff’s office began comparing notes, discovering in the process that they’d grabbed the wrong guy and removing the cuffs. Miller soon learned the thief who’d stolen his wallet had impersonated him during multiple traffic stops. A car the impostor was driving also was spotted speeding away from the scene of a burglary, but Miller said the police in that case didn’t give chase in that case because it wasn’t a violent crime.

“He started doing all kinds of stuff, and when he got pulled over he gave them my ID,” Miller said. “The first time he got pulled over and gave them my ID he was riding shotgun in a car with stolen plates that hadn’t yet been reported stolen. They let the guy go that night but then came and arrested me the next morning.”

Miller’s arrest came less than 24 hours after the local Arvada Police Department called to alert him that someone had tried to use his credit card at a nearby bank. Not long after that, a fuel station owner called the cops after getting suspicious about a customer and writing down his license plates.

“When we got to the [police] station, the police chief met me in the parking lot and apologized, then brought me 3 cups of coffee,” Miller said.

According to Miller, the police eventually arrested the guy suspected of stealing his wallet and other crimes that were previously pinned on Miller. The authorities now believe the man responsible is one John Tyler Waldorf, a 37-year-old suspect who had at least 16 warrants for his arrest pending in surrounding counties in connection with burglary and other alleged offenses.

Miller said investigators told him that Waldorf was suspected of associating with a white supremacist crime ring involved in identity theft, drug dealing and serial burglary.

“When these guys are not in prison, they’re expected to earn for the gang,” Miller said. “And apparently one of the best earning methods for these guys is ID theft.”

Louisville, Colo. police issued a bulletin explaining that Waldorf and his associates were known to have entered unlocked vehicles in the driveways of local residences and grabbed the garage door openers to the homes. “The suspect(s) entered the homes through the garage doors and stole items of value,” the police explained. “Both homes were occupied during the burglaries.”

Miller allows that the thieves in his case didn’t need to open the garage or enter his home: He’d absent-mindedly left his wallet in the car overnight while the vehicle was parked in the open garage. He now vows to tighten up his personal security habits.

“We live in a pretty nice area, and I got lulled into the idea that the garage was safe,” he said. “But in the end, it’s all on me. I’m an infosec guy, and if I can’t practice better operational security like that at my house, I should get the hell out of this industry.”

If your wallet or purse is lost or stolen, it’s a good idea to do most – if not all — of these things:

-File a police report as soon as possible to establish a record of the loss. If possible, get a physical copy of the police report at some point. You may be able to file a report and obtain a copy of it online, or you may have to go down to the local police station and pay a small administrative fee to get a copy. Either way, this report can be very useful in getting you a freeze on your credit file or an extended fraud alert at no cost if you decide to do that down the road.

-Contact your bank and report any checks or credit/debit cards lost or stolen. Most banks issue credit and debit cards with “zero liability” provisions, meaning you’re not on the hook for fraudulent charges or withdrawals — provided you report them promptly. The Truth In Lending Act limits consumer liability to $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, if you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you may be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.

-Contact one of the major credit reporting bureaus (Equifax, Experian, Innovis and Trans Union) and at the very least ask to put a fraud alert on your file, to prevent identity theft in the future. By law, the one you alert has to share the alert with the other three. The initial fraud alert stays on for 90 days. If you have that police report handy, you can instead request an extended fraud alert, which stays in effect for seven years.

-Fraud alerts are okay, but consider placing a security freeze on your credit file with the major bureaus. For more on the importance of a security freeze, check out How I Learned to Stop Worrying and Embrace the Security Freeze.

-Order a free copy of your credit report from one of the major bureaus. By law, you are entitled to a free report from each of the bureaus once a year. The only real free place to get your report is via the site mandated by the federal government: annualcreditreport.com.

Staminus Communications Inc., a California-based Internet hosting provider that specializes in protecting customers from massive “distributed denial of service” (DDoS) attacks aimed at knocking sites offline, has itself apparently been massively hacked. Staminus’s entire network was down for more than 20 hours until Thursday evening, leaving customers to vent their rage on the company’s Facebook and Twitter pages. In the midst of the outage, someone posted online download links for what appear to be Staminus’s customer credentials, support tickets, credit card numbers and other sensitive data.

Newport Beach, Calif.-based Staminus first acknowledged an issue on its social media pages because the company’s Web site was unavailable much of Thursday.

“Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable,” Staminus wrote to its customers. “Our technicians quickly began working to identify the problem. We understand and share your frustration. We currently have all hands on deck working to restore service but have no ETA for full recovery.”

Staminus now says its global services are back online, and that ancillary services are being brought back online. However, the company’s Web site still displays a black page with a short message directing customers to Staminus’s social media pages.

Meanwhile, a huge trove of data appeared online Thursday, in a classic “hacker e-zine” format entitled, “Fuck ’em all.” The page includes links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.

The authors of this particular e-zine indicated that they seized control over most or all of Staminus’s Internet routers and reset the devices to their factory settings. They also accuse Staminus of “using one root password for all the boxes,” and of storing customer credit card data in plain text, which is violation of payment card industry standards.

Staminus so far has not offered any additional details about what may have caused the outage, nor has it acknowledged any kind of intrusion. Several Twitter accounts associated with people who claim to be Staminus customers frustrated by the outage say they have confirmed seeing their own account credentials in the trove of data dumped online.

I’ve sent multiple requests for comment to Staminus, which is no doubt busy with more pressing matters at the moment. I’ll update this post in the event I hear back from them.

It is not unusual for attackers to target Anti-DDoS providers. After all, they typically host many customers whose content or message might be offensive — even hateful — speech to many. For example, among the company’s many other clients is kkk-dot-com, the official home page of the Ku Klux Klan (KKK) white supremacist group. In addition, Staminus appears to be hosting a large number of internet relay chat (IRC) networks, text-based communities that are often the staging grounds for large-scale DDoS attack services.