FortiGuard SE team has come across a peculiar phishing campaign purporting to be from the United States Internal Revenue Service (IRS), which is titled “2018 UPDATE: NON RESIDENT ALIEN TAX WITHHOLDING (IRS <firstname.lastname@example.org>).”
Peculiar because we are almost five months from the original tax deadline of April 15th in the United States. However, since individuals are allowed a six-month extension to provide more time to file, the final deadline is October 15th, which is now approaching. Such a campaign is likely to net an unwitting victim who is not aware of such scams, especially if they are a non-resident alien unfamiliar with US laws and procedures.
Before we take a look at this attack, however, it is important to remind everyone that the IRS never conducts any correspondence with taxpayers via email, which is the single most important indication that this is a phishing attack. A copy of the email being sent out is reproduced below (figure 1):
Anatomy of the Attack
At first glance, this seems to be a rather convincing email from the phisher. The formal language and basic template (full of lengthy descriptives, no graphics, and no links) mimics a document issued by a government agency, and the form labeled “W-8BEN Form.PDF” masquerades as an official W-8EN document from the IRS, which according to Wikipedia is a document used by foreign persons (including corporations) to certify their non-U.S. status. Filing this form establishes that one is a non-resident alien or foreign corporation, thereby avoiding or reducing tax withholdings from U.S. source income, such as rents from U.S. property, interest on U.S. bank deposits, or dividends paid by U.S. corporations.
Tells and Giveaways
The classic blunder of nearly all phishing email campaigns is grammatical issues and typos, indicative of an attacker who is either careless or for whom English may not be their first language. Such errors in this campaign, however, may be less obvious since it is being targeted at non-resident aliens for whom English may not be their primary language.
Issues include the incorrect name of the Federal agency purported to be sending this notification (the official name used on official correspondence is Department of the Treasury) and numerous grammatical errors in the descriptor sentence generally indicative of a non-native English user.
The inclusion of an interesting string appended before USA and after Resident is another dead giveaway:
The Fake PDF File Attachment
As annoying and damaging as any malicious phishing or spearphishing email campaign can be, the good news resulting from our analysis is that the PDF file attached to the email is clean, meaning it did not contain any detectable embedded executables. Again, while the PDF file appears at first glance to be an official document, it is critical to remember that the IRS never sends official correspondence via email.
A cursory glance of the attached PDF form may indicate to the casual observer that it is a legitimate document. It is nondescript and has many of the routine features of an official document originating from a government agency.
However, closer inspection reveals that this PDF not only appears to be scanned but also includes a number of errors, including: unusual spacing errors, inappropriate use of characters such as questions marks (?) where bullet points should be, alignment issues that appear to have been manually manipulated or photocopied poorly, and significant spelling errors, such as “inc one” rather than “income.”
Another tell is that while this document states that its last revision was February 2018, the look and feel is not that of a digital document (specifically those found on IRS.gov). Finally, the fonts are mismatched on the form, especially the “FAX TO: 1 877 917 3730” direction at the bottom, which is colored in blue and is in a different font style and size. This is another dead giveaway for this poorly crafted campaign.
Also, a search on the FAX TO number (877) 917 3730 reveals logged complaints over the past two weeks (at the time of writing):
Interestingly, this phishing campaign was sent from a server originating out of Italy, rather than from a US location. However, we cannot tell if this is the attacker’s address, an intentionally compromised device, or simply a misconfigured or vulnerable server that is being used to obscure the attacker’s location and identity.
Other Data Points
While tracking this campaign, we also observed a spike in activity on September 5th, 2018.
Countries that received this mass phishing email include:
· Czech Republic
· United States
Because this phishing campaign specifically targets non-resident US aliens, recipients may not notice the numerous grammatical and spelling errors in this document as both the phishing email and attached form have the look and feel of an official document. Individuals who fill out this form and fax it to the number indicated at the bottom, however, will have provided critical PII to the cybercriminals conducting this campaign.
Email Security and the Security Fabric
As a central component of the Fortinet Security Fabric, FortiMail is a key protection point against new, previously unseen threats that use email as their attack vector. FortiMail provides multiple layers of threat prevention that enable the interception and neutralization of email-borne threats such as the one described in this report.
A key feature of the Fortinet Security Fabric is its ability to dynamically share threat intelligence across connected devices. Once a threat is identified, malware and malicious URL packages are shared between fabric components, including FortiSandbox, FortiMail, FortiGate and FortiClient so should a threat attempt to utilize other vectors for exploitation it will be detected instantly.
When FortiMail is integrated with FortiSandbox, email attachments and links are opened and executed in a virtual environment. A range of content-based methods then neutralize detected threats, including:
For this particular phishing campaign:
· The IP address of the sender was blacklisted as a spam sender and blocked by the FortiMail Secure Email Gateway.
· The FortiGuard Spam and Virus Outbreak Services used by FortiMail leverage cloud-based machine learning to identify and block new threat outbreaks. These tools also blocked the various forms of this threat within seconds of detecting the start of each campaign.
Avoid becoming a victim of IRS-related scams
Note that the IRS does not :
Taxpayers who receive an IRS-related phone scam or any IRS impersonation should report it to the Treasury Inspector General for Tax Administration at its IRS Impersonation Scam Reporting site, and to the IRS by emailing email@example.com with the subject line “IRS Impersonation Scam.”