With the 2014 tax filing season in the rearview mirror, state tax authorities are struggling to incorporate new approaches to identifying and stopping fraudulent tax refund requests, a $6 billion-a-year problem that’s hit many states particularly hard this year. But some states say they are encountering resistance to those efforts on nearly every front, from Uncle Sam to online tax vendors and from the myriad of financial firms that profit handsomely from processing phony tax refunds.

Last week, the Internal Revenue Service (IRS) disclosed that thieves had stolen up to $50 million in phony refunds by pulling tax data on more than 100,000 Americans directly from the agency’s own Web site. The thieves were able to do this for the same reason that fraudsters are able to get away with filing and getting paid for bogus refunds: The IRS, the states and the tax preparation firms all try to authenticate filers based on static identifiers about the filer — such as birthdays and Social Security numbers, as well as answers to a handful of easily-guessed or researched “knowledge based-authentication” questions.

I spoke at length with several state tax commissioners about the size and scope of the tax refund fraud problem, and what the IRS and the states are doing to move beyond reliance on static identifiers to authenticate taxpayers. One of the state experts I spoke with was Julie Magee, commissioner Alabama’s Department of Revenue.

Magee described her work on a new task force organized by the IRS aimed at finding solutions for reducing the tax refund fraud problem across the board. Magee is one of several folks working on a fraud and authentication working group within the IRS’s task force, which is trying to come to a consensus about ways to do a better job authenticating taxpayers and to improve security around online tax preparation services such as TurboTax.

Earlier this year, TurboTax briefly suspended the online filing of state tax returns after dozens of state revenue departments complained about a massive spike in fraudulent refund requests — many of which were tied back to hijacked or fraudulently-created TurboTax accounts.

One of those victimized in that scourge was Joe W. Garrett, — Magee’s deputy commissioner — who had a $7,700 fraudulent return filed in his name after thieves created a duplicate TurboTax account with his personal information.

Magee said her working group — one of three on the IRS’s task force — is populated by stakeholders with competing agendas.

“You have companies like Intuit that don’t want the government getting into the online tax preparation business, and then there are the bricks-and-mortar operations like Liberty and H&R Block that don’t want to see their businesses cannibalized by the do-it-yourself online firms like TurboTax,” Magee said. “And then we have the banking industry, which is making a fortune off of this whole problem. Right now, the only entities that are really losing out are states and the US Treasury.” (For a look at which companies stand to profit from fraudulent refunds, see this sidebar).

In February, KrebsOnSecurity published exclusive interviews with two former TurboTax security professionals who accused TurboTax of making millions of dollars knowingly processing state and federal tax refunds filed by identity thieves. Magee said Intuit — the company that owns TurboTax — came to the first two working group meetings with a plan to provide states with an anti-fraud screening mechanism similar to Apple Pay‘s “green/yellow/red path” program, which seeks to offer participating banks some idea of the relative likelihood that a given new customer is in fact a fraudster signing up in the name of an ID theft victim.

“The first two meetings, Intuit acted like they were leading the charge on this, and they were really amenable to everything,” Magee said. “They had come up with an idea that was very much like the red- yellow-green kind of thing, and they were asking us what data elements they should be looking at and sharing.”

According to the Alabama tax commissioner, that’s when the American Coalition for Taxpayer Rights (ACTR), a trade group representing the tax preparation firms, stepped in. “The lobbyist group put the kibosh on that idea. They basically said it’s not their right to be the police – that it should be the IRS or the states — but that they would be more than willing to send us the indicators and that we could use our own system to do the scoring,” Magee said. “The states aren’t hung up on getting some red, yellow, green type system. I think we’re more interested in making sure data elements we can use to make a score are passed on to us.”

Magee said ACTR also protested that tax prep firms like Intuit couldn’t legally share certain information about their customers with the states and the IRS. Representatives with ACTR did not respond to requests for comment. Intuit declined to be interviewed for this story.

“They threw up a red flag and basically said, ‘We can’t you pass that information because it’s protected by IRS code sections regarding taxpayer confidentiality issues,'” Magee recalled. “Thankfully, the IRS brought in their attorneys and the commissioner a few weeks ago and they said, ‘That’s bunk, you can most certainly send that information to us and to the states. So we won that battle.” So how will Alabama and other states process returns differently next year?

“On a high level, what we’ve determined as of this week is that — unless the lobbyists derail our efforts – we’re going to ask for different authentication measures on a new customer, and different on returning customer, and then we’re going to ask for whole bunch of data elements that we’re not getting now that will allow us to filter the returns on receipt and will allow us to put the returns in various buckets of scores for possible fraud.”

For example, one telltale sign of a fraudulent return is one that takes the filer a very short time to fill out.

“If someone takes two minutes or less to fill out a tax return, that’s pretty much fraud 100 percent of the time, because they’re just cutting and pasting information from somewhere else,”  said Magee’s deputy Garrett. “So we said, okay, send us information about how long it takes them to fill out a return.”

Magee said there are a number of other data elements that the tax preparation firms could share about the way its customers file refund requests that would be helpful in separating legitimate returns from those filed by fraudsters.

“The states and the IRS are really trying to figure out what other data elements about customers is reasonable to ask of the software vendors in terms of helping us screen suspicious returns,” Magee said. “But end of the day, the best thing they can do for us is avoid account takeovers and to authenticate that it’s not a criminal setting up the account, that it’s a legitimate taxpayer.”

Garrett said the states believe they have some power to drive change because the states ultimately get to decide whether or not they accept a tax return filed through an electronic tax preparation firm.

“We get to choose whether or not we accept returns from vendor or not, but we have not exercised that choice in the past,” Garrett said. “What we’re going to do this is say let’s make sure that not only does the return have all the right data filled out in all the right fields, but let’s make sure you doing certain things on customer authentication as well.”

Magee said regardless of what happens with the IRS task force, her state will be requiring more from tax preparation firms in the coming months.

“Every summer we provide software vendors with file format that they must program into their systems, and usually the changes have to do with new laws or new tax structure,” Magee said. “But this year, that’s also going to include security measures. Ultimately, our goal is to deter people from using information on Alabama residents to file fraudulent tax returns. Then we could actually get back to the type of tax administration we’re used to, which is catching plain old tax cheats.”

One final note: The U.S. Senate Homeland Security and Governmental Affairs Committee is set to hold hearings today about the IRS transcript problem mentioned at the top of this piece. When I broke the news about this fraud back in March, I did so by telling the nightmarish story of Michael Kasper, a taxpayer who reached out after discovering he’d been victimized by tax fraud and that someone had pulled his tax transcript after creating an account at the IRS’s site using his personal information. Kasper is set to testify before the committee today. (Update: Watch a recorded version of today’s hearing here).

There’s also been a minor update on Kasper’s tax fraud case. In my original report, I noted that Kasper had tracked down a local woman who’d willingly or unwittingly helped fraudsters funnel the money from Kasper’s fraudulent IRS refund to scammers in Nigeria. That individual, a woman named Isha Sesay, declined my requests for an interview at the time. But on May 29, the Williamsport, Pa. police department posted a notice on their Facebook page about a standing warrant for her arrest: According to Kasper, she is also wanted for helping to funnel refund fraud money from an ID theft victim in South Dakota.

This is significant because these so-called “money mules” so seldom get prosecuted or held accountable for the very critical role that they play in these fraud schemes. UPDATE: A notice posted to the police department’s Facebook page states that Sesay has been arrested.

When identity thieves filed a phony $7,700 tax refund request in the name of Joe Garrett, Alabama’s deputy tax commissioner, they didn’t get all of the money they requested. A portion of the cash went to more than a half dozen U.S. companies that each grab a slice of the fraudulent refund, including banks, payment processing firms, tax preparation companies and e-commerce giants.

When tax scammers file a fraudulent refund request, they usually take advantage of a process called a refund transfer. That allows the third party firm that helped prepare and process the return for filing (e.g. TurboTax) to get paid for their services by deducting the amount of their fee from the refund. Effectively, this lets identity thieves avoid paying a dime to TurboTax or other providers for processing the return.

In Garrett’s case, as with no doubt countless other fraudulent returns filed this year, the thieves requested that the return be deposited into a prepaid debit card account, which they could then use as a regular debit card to pay for goods and services, and/or use at ATMs to withdraw the ill-gotten gains in cash.

What’s more, the crooks asked the government to deposit $2,000 of the $7,700 they applied for in his name to an Amazon gift card ($2,000 is the maximum allowed under the Amazon gift card program). This is just another way for thieves to hedge their bets in case the debit card to which the majority of the stolen funds gets canceled.

“There are so many people making money off of electronic transfer of funds, it’s ridiculous,” said Julie Magee, Garrett’s boss and commissioner of Alabama’s Department of Revenue. “Five different financial institutions touched the fraudulent refund they filed in Joe’s name before it went to the thieves.”

Garrett explained that his refund went from the U.S. Treasury to an account at Sunrise Banks of St. Paul, Minn. controlled by Santa Barbara Tax Products Group (TPG), which is a subsidiary of Greendot — the world’s largest prepaid card issuer (the other bank authorized to handle refund transfers is Citizens Banking Company of Sandusky, OH).

As TPG explains on its site, the company is integrated as the tax refund processing and settlement engine for 4 out of the 6 leading consumer online and in-person tax preparation companies. Additionally, TPG’s services are integrated into the offerings of the nation’s leading tax software companies, which, together, enable TPG to serve nearly 25,000 independent tax preparers and accountants nationwide. In the most recent tax season, TPG processed approximately $32 billion in tax refunds on behalf of approximately 11 million U.S. tax filers.

When the money was deposited into the Sunrise account, TPG extracted three fees: $35 for handling the federal refund, $10 for state refunds and $10 fee for TurboTax (since thieves had used TurboTax to fraudulently file his request.

Another $2,000 from the refund was diverted to an Amazon gift card. For thieves, diverting some of the funds to Amazon hedges their bets in case somehow the prepaid card that receives the bulk of the funds gets canceled by authorities cracking down on tax return fraud. These gift cards also are easily resold for cash.

“For Amazon, it guarantees a flow of future purchases in the Amazon system, and potentially generates more profit as consumers often forget to use all the value on their gift cards,” Garrett said.

The prepaid debit card which thieves used to receive most of the phony refund filed in Garrett’s name is operated by Rush Card and JPM Chase Bank. Rush Card charges a one-time card fee of between $3.95 – $9.95, and on a monthly fee ranging from $5.95 – $7.95. Each time the thieves went to an ATM to pull out cash from the card, Rush Card charged an additional $1 fee.

So, tax refund fraud is clearly lucrative for a great many companies. But how long before Congress or states turn this cash cow out to pasture? Joe Garrett’s boss — Alabama’s Revenue Department Commissioner Julie Magee — said she’s not holding her breath.

“This is a bit like regulatory whack a mole, and very difficult to track down who’s getting what,” she said. “This has been driver of why it’s so lucrative; Because it shifts so easy for thieves to get the money off the card as soon as it hits the account.”

This story was published as a complement to another piece on tax fraud, available here. Stay tuned later this week for an interview with another state tax official on ways to crack down on tax refund fraud.

What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it’s important to consider attribution insofar as it is knowable, but it’s remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.

Perhaps with some new malware samples, the associated actor attribution data is too inconclusive to publish —particularly when corporate lawyers are involved and such findings are juxtaposed to facts about a new code sample that can be demonstrated empirically. Maybe in other cases, the company publishing the research privately has concerns that airing their findings on attribution will somehow cause people to take them or the newfound threat less seriously?

I doubt many who are familiar with my reporting will have trouble telling where I come down on this subject, which explains why I’m fascinated by a bit of digging done into the actor behind a new malware sample that recently received quite a bit of media attention. That threat, known variously as “Rombertik” and “Carbon Grabber,” is financial crimeware that gained media attention because of a curious feature: it was apparently designed to overwrite key sections of the hard drive, rendering the host system unbootable.

News about Rombertik’s destructive ways was first published by Cisco, which posited that the feature was a defense mechanism built into the malware to frustrate security researchers who might be trying to unlock its secrets. Other security firms published competing theories about the purpose of the destructive component of the malware. Some argued it was the malware author’s way of enforcing licensing agreements with his customers: Those who tried to use the malware on Web addresses or domains that were not authorized as part of the original sale would be considered in violation of the software agreement — their malware infrastructure thus exposed to (criminal) a copyright enforcement regime of the most unforgiving kind.

Incredibly, none of these companies bothered to look more closely at the clues rather clumsily left behind by the person apparently responsible for spreading the malware sample that prompted Cisco to blog about Rombertik in the first place. Had they done so, they might have discovered that this ultra-sophisticated new malware strain was unearthed precisely because it was being wielded by a relatively unsophisticated actor who seems to pose more of a threat to himself than to others.

AFRICAN PERSISTENT THREAT

As much as I would love to take credit for this research, that glory belongs to the community which has sprung up around ThreatConnect, a company that specializes in threat attribution with a special focus on crowdsourcing raw actor data across a large community of users.

In this case, ThreatConnect dug deeper into centozos[dot]org[dot]in, the control server used in the Rombertik sample featured in the original Cisco report. The Web site registration records for that domain lists an individual in Lagos, Nigeria who used the email address genhostkay@dispostable.com. For those unfamiliar with Dispostable, it is a free, throwaway email service that allows anyone to send and receive email without supplying a password for the account. While this kind of service relieves the user of having to remember their password, it also allows anyone who knows the username to read all of the mail associated with that account.

Reviewing the messages in that genhostkay@dispostable.com account reveals that the account holder registered the domain centozos[dot]org[dot]in with registrar Internet.bs, and that he asked to be CC’d on another email address, “kallysky@yahoo.com”. ThreatConnect found that same genhostkay@dispostable.com email address used to register a number of other domains associated with distributing malware, including kallyguru[dot]in, nimoru[dot]com, directxex[dot]net, and norqren[dot]com.

The email address kallysky@yahoo.com is tied to a Facebook account for a 30-year-old Kayode Ogundokun from Lagos, Nigeria, who maintains a robust online presence from his personal and “business” Facebook accounts, Blogger, LinkedIn, Twitter and Youtube,” ThreatConnect wrote.

“In fact Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering tracks his tracks have been minimal to non-existent,” ThreatConnect continued. “Ogundokun’s skillset appears to be limited to using commodity RATs and botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes. [We assess] that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently licensed it to a less capable operator. His particular sample of Carbon Grabber was simply caught up in a headline grabbing story.”

REVEALING INTERNET SECRETS TO YOU

For several years until very recently, Kally/Koyode maintained kallysky.com, which thanks to archive.org we can still review in all its glory. In it, Kally’s site — which boldly and confidently displays the banner message “Revealing Internet Secrets to You” — links to dozens of video tutorials he produced and stars in on how to use various malware tools.

“He claims to offer services for Citadel Bot, Cybergate RAT, Darkcomet RAT with cpanel web services, ‘Fully Undetectable’ by anti-virus as well as other capabilities such as binders and file extension spoofers, all for educational purposes, of course,” ThreatConnect notes. “He also provides his phone number, BlackBerry Pin and the same kallysky@yahoo[dot]com email address that we observed earlier with the genhostkay@dispostable[dot]com norqren[dot]com domain expiration email.”

Sadly, Kally did not respond to requests for an interview about his work sent to his yahoo.com address. But his case and the initial industry writeups on Rombertik are illustrative of a trend within the security industry that’s become all-too-common: Threat reports that lack context — particularly on attribution that is so trivially discoverable, ThreatConnect observed.

“As news of Rombertik spread, we saw sensationalized reporting which used attention grabbing terms such as ‘terrifying,’ ‘deadly’ and ‘suicide bomber malware’ dominate the security news headlines,” the company wrote. “Now if we consider for a moment the man hours and ad hoc reprioritization for many security teams globally who were queried or tasked to determine if their organization was at risk to Rombertik – had the organizations also had adversary intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against the operator’s (Ogundokun) intent, and could have more effectively determined the level of risk.”

Cybercriminals who specialize in phishing — or tricking people into giving up usernames and passwords at fake bank and ecommerce sites — aren’t generally considered the most sophisticated crooks, but occasionally they do exhibit creativity and chutzpah. That’s most definitely the case with a phishing gang that calls itself the “Manipulaters Team”, whose Web site boasts that it specializes in brand research and development.

I first learned about the Manipulaters from a source at an Australian bank who clued me in to a phishing group that specializes in targeting Apple’s iCloud services and a whole mess of U.S., European and Asian banks. For whatever reason (probably because they’re proud of their work), these guys leave a calling card of sorts in the WHOIS Web site registration records for most of the phishing domains that they register: According to Domaintools.com, some 329 domains are registered to “admin@manipulaters[dot]com” (complete list of domains: in PDF and CSV).

Manipulaters[dot]com is a pretty amusing site all around. Their home page advises that Mainpulaters “is an institute that caters to brand research & development. We have studied computer related products immensely, and are confident that we can get the job done. The learning never stops for us though, as we are always looking for ways to improve.” Brand research. Yeah, right.

“Our goal is to help each business and brand reach their ultimate potential,” explains the “Our Members” section of the site. “We have contracts with our members that allows us to have guidelines for them to follow on their path to success. We have put these in place for a reason. This provides the stability and direction that companies/brands need to succeed.” Points for brazenness.

Their site advises that interested parties can “become a member” of the Manipulaters Team just by paying a one-time membership fee of $15, and providing a driver’s license/ID card plus a phone or electricity bill. Ah, there’s nothing quite like phishers phishing phishers.

The scary aspect of this fraud gang is that they appear to play in the Web hosting space as well. Most of their phishing pages are in fact hosted on Internet address space that is assigned to Manipulaters[dot]com: Incredibly, the group is listed as the current occupants of an entire Class C range of Internet addresses, from 167.160.46.0 to 167.160.46.255.

One common name across most of the online properties erected by the Manipulators Team is Madih-ullah Riaz, a resident of Pakistan who appears to manage this Manipulaters out of a high-rise apartment building in Karachi. Interestingly, Riaz’s email address — madihrb@hotmail.com — was among those listed as a user of BestRecovery, a phishing and malware deployment service whose user database was hacked last year. Mr. Riaz did not respond to requests for comment.

Mr. Riaz is listed as the founding member on the “About Us” page of the Manipulaters Team, along with a guy named Omer Fareed. Both men also are listed as founders of a software company called Posting Kit, which is a company included in the job history on Riaz’s LinkedIn profile.

The Manipulaters Team likes to use domain name service (DNS) settings from another blatantly fraudulent service called “FreshSpamTools[dot]eu”, a scammer-friendly service offered by a fellow Pakistani that also conveniently sells phishing toolkits targeting a number of popular brands. Manipulators indeed.

Mobile spyware maker mSpy has expended a great deal of energy denying and then later downplaying a breach involving data stolen from tens of thousands of mobile devices running its software. Unfortunately for victims of this breach, mSpy’s lackadaisical response has left millions of screenshots taken from those devices wide open and exposed to the Internet via its own Web site.

The mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.

The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.

For example, here’s a fairly benign screen shot reference that was included in the leaked files:

“ref”: “dav/a00/003/628/359/2015/02/24/cGWmz4OjqoyImZQh-25493887.jpg.open

Adding the base URL to that URL stem produces a screen shot showing an mSpy-enabled device browsing seberizeni.cz, a Czech news site. Disturbingly, it is trivial to identify the owners of many mSpy-enabled devices merely based on the information available in the bookmarks bar or Web browser windows shown in many of these screen shots.

According to mSpy, however, this is not a big deal. Almost a week after I requested comment from mSpy, a person named Amelie Ross responded with a somewhat nonsensical statement that essentially said the whole incident was dramatically exaggerated and aggravated by the media.

“Data logs do not include the information of the account user, therefore cannot be tracked back to data owner,” Ross said, ignoring the fact that I was able to identify and contact many of the company’s customers. “This case been a hard lesson and will only serve as an incentive for perfecting our service further. We have communicated with our customers whose data could have been stolen, described them a situation and they perceived it with a total understanding.”

Reached today about the exposed screenshots, mSpy reiterated its claim the data cannot be traced back to the data owner, and then acknowledged that it was reworking its system to render the exposed screenshot links unusable.

“Currently we’re working on re-hashing of the exposed data, which will result in the leaked links becoming inoperable,” Ross wrote. “We expect it to be completed within 24 hours.”

A number of journalists following the mSpy breach story have asked if I knew where the company was based, noting that authorities from several countries are now investigating the breach. As I mentioned in my original story on the break-in, the founders of the company variously claimed UK and Russian nationality, but it remains unclear where the company is physically located. However, I’m leaning toward Russia or another Eastern European country. Ross’s response to my initial email includes a forwarded copy of my May 9 message to the main media@mspy.com mailbox, which was prefaced by the the timestamp: “09.05.2015 17:55, brian krebs пишет:” That last word, пишет, is Russian for “wrote”. According to a review of the email headers, the response was sent from a laptop in Ukraine on the Eastern European summer time zone.

I hope it’s clear that it’s foolhardy to place any trust or confidence in a company whose reason for existence is secretly spying on people. Alas, the only customers who can truly “trust” a company like this are those who are indifferent to the privacy and security of the device owner being spied upon.