Valentine's Day is a the season for social engineering, as many people hope for a note from a mysterious and fascinating someone and are therefore more willing to open suspicious messages and attachments than at any other time.
Unfortunately, it is now the season for data theft. It's at tax time that the highest quantity of valuable data crosses the Internet and data thieves are surely hoping for a feast. Tax data is valuable not just because it contains financial information but also for the personal information it contains.
"Cisco IronPort expects to see more targeted attacks emulating local tax authorities over the coming weeks and months," wrote Nilesh Bandhari, product manager at Cisco's security appliance subsidiary IronPort Systems to InternetNews.com. The company reported a sophisticated attack from Canada, where phishers are pretending to be the Canadian Revenue Agency (CRA).
The IRS' goal for e-file is set in statute: the Internal Revenue Service Restructuring and Reform Act of 1998 (RRA98) stated that 80 percent of all returns should have been filed online by 2007, and the report explains why this goal was not achieved.
The IRS finally came to the conclusion that more than 20 percent of the U.S. population either did not have access to or did not adopt the technology necessary to achieve 80 percent electronic filing. It reset the goal, hoping now to achieve 80 percent e-file by 2012.
There's gold in them thar names
Security experts who monitor the online marketplaces where stolen data changes hands say that it's personal information, rather than just credit cards, that the bad guys are after.
"So many credit cards are for sale," said David Perry, global director of education for Trend Micro, "that credit card data is not worth as much as it used to be. Personal data like a pet's name or a mother's maiden name can be worth more."
Those who sell to organized crime are learning to package stolen data in new ways in order to make it more attractive. Criminals are looking for complete data sets that will allow them to steal someone's identity or conduct other profitable criminal activities.
Next page: Improving their hacking skills.
But the most sophisticated criminals expect even more, and sellers of stolen data are adjusting accordingly. "They might sell a package of credit cards from employees of one specific company, to be used in industrial espionage," Perry said.
Building these data sets takes time, and because victims do not always lose money at the moment their security is compromised, the threats are all the more insidious. Perry said that there can be some time between the security breach (say, in February), the theft of data (at tax time in March or April), and the loss of money (perhaps in the summer). It's a mistake to feel safe just because nothing bad has happened. "Right now, people may have a key logger on their system and not know it," he said.
Data theft is not the only tax time scam. Perry warned that some online tax preparers will take a fee to prepare taxes and then steal the refund and then sell their victims' personal information on the Internet. He said that it may seem particularly cruel to steal the refund, but that it does happen.
Of course, security experts are eager to talk about these threats because they are eager to sell solutions. Companies are slashing IT budgets, but they are still spending money on security.
Tal Golan, founder, president and CTO of Sendio, said that enterprise users have to protect their domain names. He claimed that companies using his anti-spam solution don't get e-mail tax scams. Sendio's E-mail Security Platform (ESP) uses challenge-response and more traditional technologies and it works with technology partners such as Kaspersky and Commtouch.
It also takes advantage of Sender Policy Framework (SPF) (define) and Domain Keys Identified Mail (DKIM) (define), which are technologies designed to prevent the spoofing of domains and e-mail addresses.
Golan strongly recommended that anyone who is responsible for managing a domain fully implement DKIM and SPF. "Even if you don't want to buy Sendio technology, please take responsibility for your domain," he said.
TrendMicro recommends that at a minimum, concerned Internet users take advantage of its free products, including TrendMicro HouseCall, but says that everyone should have a full Internet security suite in place.
Trend Micro advised online users to exercise caution. The company recommended that people encrypt data where possible, scan their PC for malware before using it to file a tax return, and be especially cautious of tax-related e-mails and Web sites at this time.
This article was first published on InternetNews.com.