In March 2015, KrebsOnSecurity broke the news that identity thieves engaged in filing fraudulent tax refund requests with the Internal Revenue Service (IRS) were using the IRS’s own Web site to obtain taxpayer data needed to complete the phony requests. Today, IRS Commissioner John Koskinen acknowledged that crooks used this feature to pull sensitive data on more than 100,000 taxpayers this year.

That March story — Sign Up at IRS.gov Before Crooks Do It For You — tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Koskinen was quoted today in an Associated Press story saying the IRS was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts. The story noted that the IRS said they targeted the system from February to mid-May, and that the service has been temporarily shut down. Prior to that shutdown, the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds.

“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” the IRS said in a statement. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”

SCOURGE AT THE STATE LEVEL

The Government Accountability Office (GAO) estimates that thieves steal nearly $6 billion from state and federal coffers last year via tax refund fraud. This year, fraudsters changed their tactics, leading to a huge spike in attempted fraudulent refund requests — particularly at the state level.

Earlier this week, I had an opportunity to interview John Valentine, chair of the Utah State Tax Commission. Valentine said this year his state saw a tenfold increase in suspicious tax refund filings, and that most of that increase was the result of a type of tax fraud the state had never seen before.

“This was unique, where someone clearly had the information from the prior year’s tax return,” Valentine said. “That different significantly from the way the return comes across if it’s just ID theft. If you have the prior year’s return, you have the names of children, their Social Security numbers and other data you don’t often times get with ID theft.”

These suspicious returns all had the filing status exactly the same [as the year prior], the number of exemptions exactly the same….you even got spelling errors on addresses and names, so that the same errors that occurred in the 2013 return occurred in the fraudulent 2014 return,” Valentine explained. “That’s what told us we were dealing with a different kind of fraud, especially since the extent of the fraud was ten times the amount of fraud we’d seen in the past.”

Valentine said he believes most of that increase was due to lax authentication and security at third-party tax preparation firms (TurboTax, for example). Based on numerous stories about poor authentication and virtually nonexistent “know-your-customer” procedures at TurboTax, I’ve no doubt the nation’s leading tax preparation firm contributed considerably to the spike. But that same data that Valentine references also could be had by pulling taxpayer data from the IRS’s site, which until very recently offered the full previous year’s W2 information on taxpayers.

Stay tuned over the next week for more in-depth stories and interviews about how the states are grappling with tax return fraud, and the changes they are seeking to the status quo.

The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade. And there is some evidence that ne’er-do-wells are actively trading this data and planning to abuse it for financial gain.

Within hours after data on tens (if not hundreds) of thousands of mSpy users leaked onto the Deep Web, miscreants on the “Hell” forum (reachable only via Tor) were busy extracting countless Apple iTunes usernames and passwords from the archive.

“Apple Id accounts you can use Tor to login perfectly safe! Good method so far use ‘Find My phone,'” wrote Ping, a moderator on the forum. “Wipe data and set a message that they been hacked and the only way to get their data back is to pay a ransom.”

mSpy works on non-jailbroken iPhones and iPads, but the user loading the program needs to supply the iTunes username and password to load mSpy onto the device. The tough part about a breach at a company like mSpy is that many “users” will not know they need to change their iTunes account passwords because they don’t know they have the application installed in the first place!

Late last week, several publications reported that the database for Adult Friend Finder’s users was being sold online for the Bitcoin equivalent of about USD $17,000. Unfortunately, that same database seems to be circulating quickly around the Deep Web, including on the aforementioned Hell forum.

In an update posted to its site on Friday, AFF owner FriendFinder Networks sought to assure registered users there was no evidence that any financial information or passwords were compromised.

Nevertheless, the AFF breach clearly threatens to inundate breached users with tons more spam, and potentially makes it easy to identify subscribers in real life. Such a connection could expose users to blackmail attempts: I spent roughly 10 minutes popping email addresses from the leaked AFF users list into Facebook, and managed to locate more than a dozen active Facebook accounts apparently tied to married men.

According to a note posted by the aforementioned Hell moderator Ping (this user is also administrator of the Deep Web forum The Real Deal), the AFF database has been traded online since March 2015, but it only received widespread media attention last week.

CareFirst BlueCross BlueShield on Wednesday said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.

According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.

Nobody is officially pointing fingers at the parties thought to be responsible for this latest health industry breach, but there are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.

As I noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com.

ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.

On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”).

“It is believed that the prennera[dot]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[dot]com command and control infrastructure,” ThreatConnect observed in a February 2015 blog post.

Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).

Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.

Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers.

mSpy told BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money. mSpy also told the BBC that claims the hackers had breached its systems and stolen data were false.

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

Let’s parse that statement a bit further. No, the stolen records aren’t on the Web; rather, they’ve been posted to various sites on the Deep Web, which is only accessible using Tor. Also, I don’t doubt that mSpy was the target of extortion attempts; the fact that the company did not pay the extortionist is likely what resulted in its customers’ data being posted online.

How am I confident of this, considering mSpy has still not responded to requests for comment? I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy.

Joe Natoli, director of a home care provider in Arizona, confirmed what was clear from looking at the leaked data — that he had paid mSpy hundreds of dollars a month for a subscription to monitor all of the mobile devices distributed to employees by his company. Natoli said all employees agree to the monitoring when they are hired, but that he only used mSpy for approximately four months.

“The value proposition for the cost didn’t work out,” Natoli said.

Katherine Till‘s information also was in the leaked data. Till confirmed that she and her husband had paid mSpy to monitor the mobile device of their 14-year-old daughter, and were still a paying customer as of my call to her.

Till added that she was unaware of a breach, and was disturbed that mSpy might try to cover it up.

“This is disturbing, because who knows what someone could do with all that data from her phone,” Till said, noting that she and her husband had both discussed the monitoring software with their daughter. “As parents, it’s hard to keep up and teach kids all the time what they can and can’t do. I’m sure there are lots more people like us that are in this situation now.”

Another user whose financial and personal data was in the cache asked not to be identified, but sheepishly confirmed that he had paid mSpy to secretly monitor the mobile device of a “friend.”

Update, May 22, 10:24 a.m.: mSpy is finally admitting that it did have a breach that exposed customer information, but they are still downplaying the numbers.

REACTION ON CAPITOL HILL

News of the mSpy breach prompted renewed calls from Sen. Al Franken for outlawing products like mSpy, which the Minnesota democrat refers to as “stalking apps.” In a letter (PDF) sent this week to the U.S. Justice Department and Federal Trade Commission, Franken urged the agencies to investigate mSpy, whose products he called ‘deeply troubling’ and “nothing short of terrifying” when “in the hands of a stalker or abuse intimate partner.”

Last year, Franken reintroduced The Location Privacy Protection Act of 2014, legislation that would outlaw the development, operation, and sale of such products.

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

Akbar pleaded guilty to the charges in November 2014, and according to the Justice Department he is “the first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim’s confidential communications.”

A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.

The report was released by Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks. The report attracted coverage by multiple media outlets, including, Fox News, Politico, SC Magazine and The Hill. root9B said it had unearthed plans by a Russian hacking gang known variously as the Sofacy Group and APT28. APT is short for “advanced persistent threat,” and it’s a term much used among companies that sell cybersecurity services in response to breaches from state-funded adversaries in China and Russia that are bent on stealing trade secrets via extremely stealthy attacks.

“While performing surveillance for a root9B client, the company discovered malware generally associated with nation state attacks,” root9B CEO Eric Hipkins wrote of the scheme, which he said was targeted financial institutions such as Bank of America, Regions Bank and TD Bank, among others.

“It is the first instance of a Sofacy or other attack being discovered, identified and reported before an attack occurred,” Hipkins said. “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. We’ve spent the past three days informing the proper authorities in Washington and the UAE, as well as the CISOs at the financial organizations.”

However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

The problem with that linkage is although carbon2go[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2go home for their DNS operations, including these clowns.

From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

For example, most of the wordage in this report from root9B discusses fake domains registered to a handful of email addresses, including “adeweb2001@yahoo.com,” adeweb2007@yahoo.com,” and “rolexzad@yahoo.com”.

Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd.

The domain rolexad[dot]com was flagged as early as 2008 by aa419.org, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

Bob Zito, a spokesperson for root9B, said “the team stands by the report as 100 percent accurate and it has been received very favorably by the proper authorities in Washington (and others in the cyber community, including other cyber firms).”

I wanted to know if I was alone in finding fault with the root9B report, so I reached out to Jaime Blasco, vice president and chief scientist at AlienVault — one of the security firms that first published the initial findings on the Sofacy/APT28 group back in October 2014. Blasco called the root9B research “very poor” (full disclosure: AlienVault is one of several advertisers on this blog).

“Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hashes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

Blasco’s comments may sound harsh, but it is true that root9B Chairman Joe Grano bought large quantities of the firm’s stock roughly a week before issuing this report. On May 14, 2015, root9B issued its first quarter 2015 financial results.

There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.