Last year, KrebsOnSecurity warned that the Internal Revenue Service‘s (IRS) solution for helping victims of tax refund fraud avoid being victimized two years in a row was vulnerable to compromise by identity thieves. According to a story shared by one reader, the crooks are well aware of this security weakness and are using it to revisit tax refund fraud on at least some victims two years running — despite the IRS’s added ID theft protections.

Tax refund fraud affects hundreds of thousands — if not millions — of U.S. citizens annually. It starts when crooks submit your personal data to the IRS and claim a refund in your name, but have the money sent to an account or address you don’t control.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

The IRS’s preferred method of protecting tax refund victims from getting hit two years in a row — the Identity Protection (IP) PIN — has already been mailed to some 2.7 million tax ID theft victims. The six-digit PIN must be supplied on the following year’s tax application before the IRS will accept the return as valid.

As I’ve noted in several stories here, the trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax.  These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS.

Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016. 

“So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”

Wittrock said she called the toll-free number for the IRS that was printed on the identity theft literature she received from the year before.

“I tried to e-file this weekend and the return was rejected,” Wittrock said. “I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.”

Wittrock said that to verify herself to the IRS representative, she had to regurgitate a litany of static data points about herself, such as her name, address, Social Security number, birthday, how she filed the previous year (married/single/etc), whether she claimed any dependents and if so how many. 

“The guy said, ‘Yes, I do see a return was filed under your name on Feb. 2, and that there was the correct IP PIN supplied’,” Wittrock recalled. “I asked him how can that be, and he said, ‘You’re not the first, we’ve had many cases of that this year.'”

According to Wittrock, the IRS representative shared that the agency wouldn’t be relying on IP PINs for long.

“He said, ‘We won’t be using the six digit PIN next year. We’re working on coming up with another method of verification’,” she recalled. “He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.”

Interestingly, the IRS’s own failure to use anything close to modern authentication methods may have contributed to Wittrock’s original victimization. From January 2014 to May 2015, the IRS allowed anyone to access someone else’s previous year’s W-2 forms, just by supplying the taxpayer’s name, date of birth, Social Security number, address, and the answers to easy-to-guess-or-Google KBA questions.

The IRS killed the Get Transcript function in May 2015 after it was revealed (first on this blog) that crooks were abusing it to hijack consumer identities and refunds. But here’s the problem: the agency requires IP PIN holders seeking a copy of their PIN to jump through the exact same flawed authentication process that afflicted its now-defunct Get Transcript service.

According to the IRS, at least 724,000 citizens had their tax data stolen through the IRS’s Get Transcript feature between January 2014 and May 2015. This may in fact be a lowball number: The IRS previously said the number of those affected was 334,000, figures that were sharply revised from an initial estimate of 110,000 taxpayers.

The IRS did not respond to requests for comment for this story. But in a related story by Quartz last year, the IRS said access to an IP PIN itself “does not expose taxpayer Personally Identifiable Information.” However, this may be of small solace to taxpayers who had their tax and income data stolen directly from the IRS in the first place.

The IRS told Quartz that taxpayers who use IP PINs will be sent a new one in the mail each year, prior to each tax season—making it much harder for an identity thief to access this information.

“That is, hackers would have a small window—between the end of the tax year and the moment a taxpayer files a return—to try to steal the IP PIN,” Keith Collins wrote. “The statement added: “In addition, we carefully monitor IP PIN traffic in order to respond swiftly to any potentially suspicious activity.”

I suppose time will tell how swiftly the IRS is moving to respond to suspicious IP PIN activity. In the meantime, if you’d like to know more about tax ID theft and what you can do to minimize your chances of becoming the next victim, check out Don’t Be a Victim of Tax Fraud in ’16.

The U.S. Internal Revenue Service (IRS) today sharply revised previous estimates on the number of citizens that had their tax data stolen since 2014 thanks to a security weakness in the IRS’s own Web site. According to the IRS, at least 724,000 citizens had their personal and tax data stolen after crooks figured out how to abuse a (now defunct) IRS Web site feature called “Get Transcript” to steal victim’s prior tax data.

The number is more than double the figures the IRS released in August 2015, when it said some 334,000 taxpayers had their data stolen via authentication weaknesses in the agency’s Get Transcript feature.

Turns out, those August 2015 estimates were more than tripled from May 2015, when the IRS shut down its Get Transcript feature and announced it thought crooks had abused the Get Transcript feature to pull previous year’s tax data on just 110,000 citizens.

In a statement released today, the IRS said a more comprehensive, nine-month review of the Get Transcript feature since its inception in January 2014 identified the “potential access of approximately 390,000 additional taxpayer accounts during the period from January 2014 through May 2015.”

The IRS said an additional 295,000 taxpayer transcripts were targeted but access was not successful, and that mailings notifying these taxpayers will start February 29. The agency said it also is offering free credit monitoring through Equifax for affected consumers, and placing extra scrutiny on tax returns from citizens with affected SSNs.

The criminal Get Transcript requests fuel refund fraud, which involves crooks claiming a large refund in the name of someone else and intercepting the payment. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

As I warned in March 2015, the flawed Get Transcript function at issue required taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS’s site with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data was successfully supplied, the IRS used a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers could see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried. The IRS said it identified some 1.3 million attempts to abuse the Get Transcript service since its inception in January 2014; in 724,000 of those cases the thieves succeeded in answering the KBA questions correctly.

The IRS’s answer to tax refund victims — the Identity Protection (IP) PIN — is just as flawed as the now defunct Get Transcript system. These IP PINS, which the IRS has already mailed to some 2.7 million tax ID theft victims, must be supplied on the following year’s tax application before the IRS will accept the return.

The only problem with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to the same type of KBA questions from Equifax that opened the Get Transcript feature to exploitation by fraudsters.  These KBA questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

ID thieves understand this all to well, and even a relatively unsophisticated gang engaged in this activity can make millions via tax refund fraud. Last week, a federal grand jury in Oregon unsealed indictments against three men accused of using the IRS’s Get Transcript feature to obtain 1,200 taxpayers transcripts. In total, the authorities allege the men filed over 2,900 false federal tax returns seeking over $25 million in fraudulent refunds.  The IRS says it rejected most of those claims, but that the gang managed to successfully obtain $4.7 million in illegal refunds.

HOW BAD WAS IT OVERALL IN 2015?

The IRS hasn’t officially released numbers on how much tax refund fraud it saw overall in 2015, but in response to questions from KrebsOnSecurity it offered figures on how many fraudulent returns it detected and blocked last year.

“In calendar year 2015, the IRS rejected or suspended the processing of 4.8 million suspicious returns. The IRS stopped 1.4 million confirmed identity theft returns, totaling $8.7 billion,” the agency said in a statement. “Additionally, in calendar year 2015, the IRS stopped $3.1 billion worth of refunds in other types of fraud. That’s a total of $11.8 billion in confirmed fraudulent refunds protected.”

Again, these numbers do not reflect how many fraudulent refunds were paid out in calendar year 2015 due to ID theft, and as we can see with the numbers tied to the Get Transcript fiasco these numbers have a way of changing upward over time significantly. I mention that because something about these numbers doesn’t seem to square with figures previously released by the Government Accountability Office and the Federal Trade Commission.

Last month, the FTC said it saw an almost 50 percent spike in ID theft claims in 2015, a jump that was thanks largely to a huge uptick in consumer reports of tax refund fraud. Likewise, a report by the IRS last year indicates that between Jan. 1, 2015 and Sept. 30, 2015, the IRS saw more than 600,000 incidents of ID tax-related ID theft, up more than 50 percent over 2014, and 30 percent over 2013.

According to a January 2015 GAO report (PDF), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. See Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache.

Notifying people and companies about data breaches often can be a frustrating and thankless job. Despite my best efforts, sometimes a breach victim I’m alerting will come away convinced that I am not an investigative journalist but instead a scammer. This happened most recently this week, when I told a California credit union that its online banking site was compromised and apparently had been for nearly two months.

On Feb. 23, I contacted Coast Central Credit Union, a financial institution based in Eureka, Calif. that serves more than 60,000 customers. I explained who I was, how they’d likely been hacked, how they could verify the hack, and how they could fix the problem. Two days later when I noticed the site was still hacked, I contacted the credit union again, only to find they still didn’t believe me.

News of the compromise came to me via Alex Holden, a fellow lurker in the cybercrime underground and founder of Hold Security [full disclosure: While Holden’s site lists me as an advisor to his company, I receive zero compensation for that role]. Holden told me that crooks had hacked the credit union’s site and retrofitted it with a “Web shell,” a simple backdoor program that allows an attacker to remotely control the Web site and server using nothing more than a Web browser.

The credit union’s switchboard transferred me to a person in Coast Central’s tech department who gave his name only as “Vincent.” I told Vincent that the credit union’s site was very likely compromised, how he could verify it, etc. I also gave him my contact information, and urged him to escalate the issue. After all, I said, the intruders could use the Web shell program to upload malicious software that steals customer passwords directly from the credit union’s Web site. Vincent didn’t seem terribly alarmed about the news, and assured me that someone would be contacting me for more information.

This afternoon I happened to reload the login page for the Web shell on the credit union’s site and noticed it was still available. A call to the main number revealed that Vincent wasn’t in, but that Patrick in IT would take my call. For better or worse, Patrick was deeply skeptical that I was not impersonating the author of this site.

I commended him on his wariness and suggested several different ways he could independently verify my identity. When asked for a contact at the credit union that could speak to the media, Patrick said that person was him but declined to tell me his last name. He also refused to type in a Web address on his own employer’s Web site to verify the Web shell login page.

“I hope you do write about this,” Patrick said doubtfully, after I told him that I’d probably put something up on the site today about the hack. “That would be funny.”

Exasperated, I told Patrick good luck and hung up. Thankfully, I did later hear from Ed Christians, vice president of information systems at Coast Central. Christians apologized for the runaround and said everyone in his department were regular readers of KrebsOnSecurity. “I was hoping I’d never get a call from you, but I guess I can cross that one off my list,” Christians said. “We’re going to get this thing taken down immediately.”

The credit union has since disabled the Web shell and is continuing to investigate the extent and source of the breach. There is some evidence to suggest the site may have been hacked via an outdated version of Akeeba Backup — a Joomla component that allows users to create and manage complete backups of a Joomla-based website. Screen shots of the files listed by the Web shell planted on Coast Central Credit Union indeed indicate the presence of Akeeba Backup on the financial institution’s Web server.

A Web search on one backdoor component that the intruders appear to have dropped on the credit union’s site on Dec. 29, 2015 — a file called “sfx.php” — turns up this blog post in which Swiss systems engineer Claudio Marcel Kuenzler described his investigation of a site that was hacked through the Akeeba Backup function.

“The file was uploaded with a simple GET request by using a vulnerability in the com_joomlaupdate (which is part of Akeeba Backup) component,” Kuenzler wrote, noting that there is a patch available for the vulnerability.

These Web shell components are extremely common, have been around for years, and are used by online miscreants for a variety of tasks — from selling ad traffic and spreading malware to promoting malicious and spammy Web sites.

It’s not clear yet whether the hackers who hit the credit union’s site did anything other than install the backdoor, but Kuenzler wrote that in his case the intruders indeed used their access to relay spam. The attackers could just have easily booby-trapped the credit union’s site to foist malicious software disguised as a security update when customers tried to log in at the site.

Holden said he’s discovered more than 13,000 sites that are currently infected with Web shells just like the one that hit Coast Central Credit Union, and that the vast majority of them are Joomla and WordPress blogs that get compromised through outdated and insecure third-party plugins for these popular content management systems. Worse yet, all of the 13,000+ backdoored sites are being remotely controlled with the same username and password.

“It’s a bot,” he said of the self-replicating malware used to deploy the Web shell that infested the credit union’s site. “It goes and exploits vulnerable sites and installs a backdoor with the same credentials.”

Holden said his company has been reaching out to the affected site owners, but that it hasn’t had much luck getting responses. In any case, Holden said he doesn’t relish the idea of dealing with pushback and suspicion from tons of victims.

“To be fair, most vulnerable sites belong to individuals or small companies that do not have contacts, and a good portion of them are outside of US,” Holden said. “We try to find owners for some but very few reply.”

If you run a Web site, please make sure to keep your content management system up to date with the latest patches, and don’t put off patching or disabling outdated third-party plugins. And if anyone wants to verify who I am going forward, please feel free contact me through this site, via encrypted email, or through Wickr (I’m “krebswickr”).

With tax filing season in the United States well underway, scammers who specialize in tax refund fraud have a new trick up their sleeves: Spoofing emails from a target organization’s CEO, asking human resources and accounting departments for employee W-2 information.

Stu Sjouwerman, chief executive at security awareness training company KnowBe4, told KrebsOnSecurity that earlier this week his firm’s controller received an email designed to look like it was sent by Sjouwerman requesting a copy of all employee W-2 forms for this year (full disclosure: KnowBe4 is an advertiser on this site). The email read:

“Alanna,

I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Stu”x

Turns out, KnowBe4 just hired a new chief financial officer. The controller answered that she didn’t have access to that information, but that the new CFO could help. Sjourwerman said an analysis of the email headers showed the phishers used someone’s GoDaddy email server and the return address was not associated with the company.

“Our CFO had just stepped through all of our awareness training and smelled something phishy,” Sjourwerman said. “The two of them walked up to me and asked if I had requested a PDF with all W-2’s. Obviously, I hadn’t, and congratulated them on a good catch. But imagine if we would have sent off those W-2’s! It would have opened up our employees to identity theft because the W-2’s have their full name, address, wages and Social Security number.”

Fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Indeed, scam artists involved in refund fraud stole W-2 information on more than 330,000 people last year directly from the Web site of the Internal Revenue Service (IRS). Scammers last year also massively phished online payroll management account credentials used by corporate HR professionals.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints last year. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. See Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache.

Many readers have asked for a primer summarizing the privacy and security issues at stake in the the dispute between Apple and the U.S. Justice Department, which last week convinced a judge in California to order Apple to unlock an iPhone used by one of assailants in the recent San Bernardino massacres. I don’t have much original reporting to contribute on this important debate, but I’m visiting it here because it’s a complex topic that deserves the broadest possible public scrutiny.

A federal magistrate in California approved an order (PDF) granting the FBI permission to access to the data on the iPhone 5c belonging to the late terror suspect Syed Rizwan Farook, one of two individuals responsible for a mass shooting in San Bernadino on Dec. 2, 2015 in which 14 people were killed and many others were injured.

Apple CEO Tim Cook released a letter to customers last week saying the company will appeal the order, citing customer privacy and security concerns.

Most experts seem to agree that Apple is technically capable of complying with the court order. Indeed, as National Public Radio notes in a segment this morning, Apple has agreed to unlock phones in approximately 70 other cases involving requests from the government. However, something unexpected emerged in one of those cases — an iPhone tied to a Brooklyn, NY drug dealer who pleaded guilty to selling methamphetamine last year.

NPR notes that Apple might have complied with that request as well, had something unusual not happened: Federal Magistrate Judge James Orenstein did not sign the order the government wanted, but instead went public and asked Apple if the company had any objections.

“The judge seemed particularly skeptical that the government relied in part on an 18th-century law called the All Writs Act,” reports NPR’s Joel Rose. “Prosecutors say it gives them authority to compel private companies to help carry out search warrants.”

Nevertheless, Apple is resisting this latest order, citing the precedent that complying might set, Apple’s CEO claims.

“We have great respect for the professionals at the FBI, and we believe their intentions are good,” Cook wrote. “Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.”

Cook continued: “The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

In a letter posted to Lawfare.com and the FBI’s home page, FBI Director James Comey acknowledged that new technology creates serious tensions between privacy and safety, but said this tension should be resolved by the U.S. courts — not by the FBI or by Apple.

“We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly,” Comey said. “That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land. I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead.”

According to the government, Apple has the capability to bypass the password on some of its devices, and can even disable an iPhone’s optional auto-erase function that is set to delete all data on the phone after some number of tries (the default is 10).

The iPhone at issue was an iPhone 5C, but it was running Apple’s latest operating system, iOS 9 (PDF), which prompts users to create six digit passcode for security. Since iOS 9 allows users to set a 4-digit, 6-digit or alphanumeric PIN, cracking the passcode on the assailant’s iPhone could take anywhere from a few hours to 5.5 years if the FBI used tools to “brute-force” the code and wasn’t hampered by the operating system’s auto-erase feature. That’s because the operating system builds in a tiny time delay between each guess, rendering large scale brute-force attacks rather time-consuming and potentially costly ventures.

In an op-ed that ran in The Washington Post on Feb. 18, noted security expert and cryptographer Bruce Schneier notes that the authority the U.S. government seeks is probably available to the FBI if the agency wants to spring for the funding to develop the capability itself, and that the FBI sees this as a privacy vs. security debate, while the tech community sees it as a security vs. surveillance debate.

“There’s nothing preventing the FBI from writing that hacked software itself, aside from budget and manpower issues,” Schneier wrote. “There’s every reason to believe, in fact, that such hacked software has been written by intelligence organizations around the world.”

Schneier said what the FBI wants to do would make us less secure, even though it’s in the name of keeping us safe from harm.

“The danger is that the court’s demands will pave the way to the FBI forcing Apple and others to reduce the security levels of their smart phones and computers, as well as the security of cars, medical devices, homes, and everything else that will soon be computerized,” Schneier wrote. “The FBI may be targeting the iPhone of the San Bernardino shooter, but its actions imperil us all.”

Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI), said the same logic behind what the FBI seeks could just as easily apply to a mandate forcing Microsoft, Google, Apple, and others to push malicious code to a device through automatic updates when the device isn’t yet in law enforcement’s hand.

“The request to Apple is accurately paraphrased as ‘Create malcode designed to subvert security protections, with additional forensic protections, customized for a particular target’s phone, cryptographically sign that malcode so the target’s phone accepts it as legitimate, and run that customized version through the update mechanism’,” Weaver wrote.

Apple appears ready to fight this all the way to the Supreme Court. If the courts decide in the government’s favor, the FBI won’t soon be alone in requesting this authority, Weaver warns.

“Almost immediately, the National Security Agency is going to secretly request the same authority through the Foreign Intelligence Surveillance Court (FISC),” Weaver wrote. “How many honestly believe the FISC wouldn’t rule in the NSA’s favor after the FBI succeeds in getting the authority?”

This debate will almost certainly be decided in the courts, perhaps even by the U.S. Supreme Court. In the meantime, lawmakers in Washington, D.C. are already positioning themselves to…well, study the issue more.

In letters sent last week to Apple and the Justice Department, the House Energy & Commerce Committee invited leaders of both organizations to come testify on the issue in an upcoming hearing. In addition, Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) say they plan to unveil legislation later this week to create a “Digital Security Commission” to investigate whether Congress has a bigger role to play here.

Twitter addicts can follow this lively debate at the hashtag #FBIvsApple, although to be fair the pro-Apple viewpoints appear to be far more represented so far. Where do you come down on this debate? Sound off in the comments below.

Recommended further reading: Jonathan Zdziarski’s take on why this case is different from previous requests from the FBI to Apple.