Threat Research

Beware of Emails Purporting to be from the IRS

By FortiGuard SE Team | September 17, 2018

FortiGuard SE team has come across a peculiar phishing campaign purporting to be from the United States Internal Revenue Service (IRS), which is titled “2018 UPDATE: NON RESIDENT ALIEN TAX WITHHOLDING (IRS <update-noreply@irs.gov>).”

Peculiar because we are almost five months from the original tax deadline of April 15th in the United States. However, since individuals are allowed a six-month extension to provide more time to file, the final deadline is October 15th, which is now approaching. Such a campaign is likely to net an unwitting victim who is not aware of such scams, especially if they are a non-resident alien unfamiliar with US laws and procedures.

Before we take a look at this attack, however, it is important to remind everyone that the IRS never conducts any correspondence with taxpayers via email, which is the single most important indication that this is a phishing attack. A copy of the email being sent out is reproduced below (figure 1):

Figure 1. The fake IRS phishing email

Anatomy of the Attack

At first glance, this seems to be a rather convincing email from the phisher. The formal language and basic template (full of lengthy descriptives, no graphics, and no links) mimics a document issued by a government agency, and the  form labeled “W-8BEN Form.PDF” masquerades as an official W-8EN document from the IRS, which according to Wikipedia is a document used by foreign persons (including corporations) to certify their non-U.S. status. Filing this form establishes that one is a non-resident alien or foreign corporation, thereby avoiding or reducing tax withholdings from U.S. source income, such as rents from U.S. property, interest on U.S. bank deposits, or dividends paid by U.S. corporations.

Tells and Giveaways

The classic blunder of nearly all phishing email campaigns is grammatical issues and typos, indicative of an attacker who is either careless or for whom English may not be their first language. Such errors in this campaign, however, may be less obvious since it is being targeted at non-resident aliens for whom English may not be their primary language.

Issues include the incorrect name of the Federal agency purported to be sending this notification (the official name used on official correspondence is Department of the Treasury) and numerous grammatical errors in the descriptor sentence generally indicative of a non-native English user.

Figure 2: Grammar and typo issues

The inclusion of an interesting string appended before USA and after Resident is another dead giveaway:

Figure 2: Unusual string with non-English characters

The Fake PDF File Attachment

As annoying and damaging as any malicious phishing or spearphishing email campaign can be, the good news resulting from our analysis is that the PDF file attached to the email is clean, meaning it did not contain any detectable embedded executables. Again, while the PDF file appears at first glance to be an official document, it is critical to remember that the IRS never sends official correspondence via email. 

Figure 3. The fake W-8Ben form

A cursory glance of the attached PDF form may indicate to the casual observer that it is a legitimate document. It is nondescript and has many of the routine features of an official document originating from a government agency.

However, closer inspection reveals that this PDF not only appears to be scanned but also includes a number of errors, including: unusual spacing errors, inappropriate use of characters such as questions marks (?) where bullet points should be, alignment issues that appear to have been manually manipulated or photocopied poorly, and significant spelling errors, such as “inc one” rather than “income.” 

Another tell is that while this document states that its last revision was February 2018, the look and feel is not that of a digital document (specifically those found on IRS.gov). Finally, the fonts are mismatched on the form, especially the “FAX TO: 1 877 917 3730” direction at the bottom, which is colored in blue and is in a different font style and size. This is another dead giveaway for this poorly crafted campaign.

Also, a search on the FAX TO number (877) 917 3730 reveals logged complaints over the past two weeks (at the time of writing):

Figure 4. Google search on 877 917 3730

Interestingly, this phishing campaign was sent from a server originating out of Italy, rather than from a US location. However, we cannot tell if this is the attacker’s address, an intentionally compromised device, or simply a misconfigured or vulnerable server that is being used to obscure the attacker’s location and identity.

Other Data Points

While tracking this campaign, we also observed a spike in activity on September 5th, 2018. 

Figure 5. Spike in activity in the past week for the IP address associated with this phishing campaign.

Countries that received this mass phishing email include:

·      Austria

·      Czech Republic

·      Denmark

·      Germany

·      India

·      Indonesia

·      Italy

·      Japan

·      Korea

·      Switzerland

·      Taiwan

·      United States

Conclusion

Because this phishing campaign specifically targets non-resident US aliens, recipients may not notice the numerous grammatical and spelling errors in this document as both the phishing email and attached form have the look and feel of an official document. Individuals who fill out this form and fax it to the number indicated at the bottom, however, will have provided critical PII to the cybercriminals conducting this campaign.

Solutions

Email Security and the Security Fabric

As a central component of the Fortinet Security Fabric, FortiMail is a key protection point against new, previously unseen threats that use email as their attack vector.  FortiMail provides multiple layers of threat prevention that enable the interception and neutralization of email-borne threats such as the one described in this report.

A key feature of the Fortinet Security Fabric is its ability to dynamically share threat intelligence across connected devices. Once a threat is identified, malware and malicious URL packages are shared between fabric components, including FortiSandbox, FortiMail, FortiGate and FortiClient so should a threat attempt to utilize other vectors for exploitation it will be detected instantly.

When FortiMail is integrated with FortiSandbox, email attachments and links are opened and executed in a virtual environment. A range of content-based methods then neutralize detected threats, including:

·      Removal of active content, e.g., exe and javascript from emails

·      Neutralizing Office and PDF documents by removing macros, javascript, embedded content, and DDE, etc.

For this particular phishing campaign:

·      The IP address of the sender was blacklisted as a spam sender and blocked by the FortiMail Secure Email Gateway.

·      The FortiGuard Spam and Virus Outbreak Services used by FortiMail leverage cloud-based machine learning to identify and block new threat outbreaks.  These tools also blocked the various forms of this threat within seconds of detecting the start of each campaign.

Avoid becoming a victim of IRS-related scams

Note that the IRS does not :

  • Demand that people use a specific payment method, such as a prepaid debit card, gift card, or wire transfer. The IRS will also never ask for debit or credit card numbers over the phone. For people who owe taxes, payments are made directly to the United States Treasury. You can review the IRS.gov/payments website for official online payment options.
     
  • Demand immediate tax payment. Normal correspondence via a letter in the mail and taxpayers have the option to appeal or question what they owe. All taxpayers are advised to know their rights as a taxpayer.
     
  • Ever threaten to bring in local police, immigration officers, or other law enforcement to arrest people for not paying. The IRS is also not authorized to revoke a license or immigration status. Threats like these are common tactics scam artists use to trick victims into believing their schemes.

Taxpayers who receive an IRS-related phone scam or any IRS impersonation should report it to the Treasury Inspector General for Tax Administration at its IRS Impersonation Scam Reporting site, and to the IRS by emailing phishing@irs.gov with the subject line “IRS Impersonation Scam.”

Further Reading:

https://www.irs.gov/newsroom/irs-warns-of-variation-of-form-w-8ben-scam-crooks-impersonate-irs-to-get-banking-and-other-information

 

Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.