Valentine’s Day is a the season for
social engineering, as many people hope for a note from a mysterious and
fascinating someone and are therefore more willing to open suspicious
messages and attachments than at any other time.
Unfortunately, it is now the season for data theft. It’s at tax time that the highest quantity of valuable data crosses the Internet and data thieves are surely
hoping for a feast. Tax data is valuable not just because it contains financial information but also for the personal information it contains.
“Cisco IronPort expects to see more
targeted attacks emulating local tax authorities over the coming weeks and
months,” wrote Nilesh Bandhari, product manager at Cisco’s security
appliance subsidiary IronPort Systems
to InternetNews.com. The company reported a sophisticated attack from Canada, where phishers are pretending to be the Canadian Revenue Agency (CRA).
There’s plenty of personal data online at tax time in the U.S. alone,
without adding in the volume the rest of the world generates. The IRS said that more than 87 million returns were
filed electronically in 2008 via e-file, the system for filing tax returns over the Internet, representing about 60 percent of the total filings for the year.
The IRS’ goal for e-file is set in statute: the Internal Revenue Service
Restructuring and Reform Act of 1998 (RRA98) stated that 80 percent of all
returns should have been filed online by 2007, and the report explains why
this goal was not achieved.
The IRS finally came to the conclusion that more than 20 percent of the U.S. population either did not have access to or did not adopt the technology necessary to achieve 80 percent electronic filing. It reset the goal, hoping now to achieve 80 percent e-file by 2012.
There’s gold in them thar names
Security experts who monitor the online marketplaces where stolen data
changes hands say that it’s personal information, rather than just credit
cards, that the bad guys are after.
“So many credit cards are for sale,” said David Perry, global director of education for Trend Micro, “that credit card data is
not worth as much as it used to be. Personal data like a pet’s name or a
mother’s maiden name can be worth more.”
Those who sell to organized crime are learning to package stolen data in new ways in order to make it more attractive. Criminals are looking for complete data sets that will allow them to steal someone’s identity or conduct other profitable criminal activities.
Next page: Improving their hacking skills.
But the most sophisticated criminals expect even more, and sellers of stolen data are adjusting accordingly. “They might sell a package of credit cards from employees of one specific company, to be used in industrial espionage,” Perry said.
Building these data sets takes time, and because victims do not always
lose money at the moment their security is compromised, the threats are all
the more insidious. Perry said that there can be some time between the
security breach (say, in February), the theft of data (at tax time in March
or April), and the loss of money (perhaps in the summer). It’s a mistake to
feel safe just because nothing bad has happened. “Right now, people may
have a key logger on their system and not know it,” he said.
Data theft is not the only tax time scam. Perry warned that some online
tax preparers will take a fee to prepare taxes and then steal the refund and
then sell their victims’ personal information on the Internet. He said that
it may seem particularly cruel to steal the refund, but that it does happen.
Of course, security experts are eager to talk about these threats because
they are eager to sell solutions. Companies are slashing IT budgets, but
they are still spending money on security.
Tal Golan, founder, president and CTO of Sendio, said that enterprise users have to
protect their domain names. He claimed that companies using his anti-spam
solution don’t get e-mail tax scams. Sendio’s E-mail Security Platform
(ESP) uses challenge-response and more traditional technologies and it works
with technology partners such as Kaspersky and Commtouch.
It also takes advantage of Sender Policy Framework (SPF) (define) and Domain Keys Identified Mail (DKIM) (define), which are technologies designed to prevent the spoofing of domains and e-mail addresses.
Golan strongly recommended that anyone who is responsible for managing a
domain fully implement DKIM and SPF. “Even if you don’t want to buy Sendio
technology, please take responsibility for your domain,” he said.
TrendMicro recommends that at a minimum, concerned Internet users
take advantage of its free products, including TrendMicro HouseCall, but says that
everyone should have a full Internet security suite in place.
Trend Micro advised online users to exercise caution. The company
recommended that people encrypt data where possible, scan their PC for
malware before using it to file a tax return, and be especially cautious of
tax-related e-mails and Web sites at this time.
This article was first published on InternetNews.com.