Secureworks warns of cybercriminals targeting US stimulus funds (Image Credit: Engin Akyurt from Pixabay )Secureworks has warned that it is seeing threat actors buying and selling details of US taxpayers to steal COVID-19 stimulus funds. The US Government is sending out US$1,200 cheques to US taxpayers as part of its pandemic relief support. The Counter Threat Unit (CTU) Research Team at Secureworks says it has: “observed an increase in tax identity theft aimed at fraudulently obtaining stimulus checks.”

The CTU has seen posts in underground forums offering paystubs and tax forms. These can be used to apply for stimulus relief checks. It has published details of some of these such as Telegram user @TheMansion and a threat actor called DoctorZempf. Both are offering documents to help people commit identity theft to steal checks.

Other cybercriminals are looking for partners to help them commit identity theft and steal stimulus checks. One such threat actor using the name coronaprofit claims to have thousands of “fresh fullz and drop methods.” Fullz is a term used to describe a package containing individuals’ identity data. It contains everything required to digitally impersonate that individual. Having fresh fullz means that these have not been used before and are likely to be valuable.

Rather than sell the fullz, coronaprofit has advertised for a partner with “knowledge/experience on creative stimulus cashout methods.” In effect, they want someone who can help them use the stolen identity data to steal money. While the first target will be the stimulus checks, it is unlikely to stop there. Success will provide a platform for further exploitation of the victims’ identity.

An increase in IRS themed phishing attacks

Phishing emails and pages disguised as IRS tax forms are also being used to steal taxpayers identity. Many of them look identical to the real forms, except the data is not sent to the IRS. It is harvested and used by the threat actors to impersonate the victim on the official IRS site. This increases the chance of them stealing stimulus checks.

Threat actors are selling the data to create tax profiles in packages. Among the data offers is:

  • IRS Form W-2
  • 2019 Paystub (December) which is used to calculate annual wage and other deductions
  • Employer details (name, address, zip code, Employer Identification Number)
  • Employees details (Name, address, SSN, marital status)

These packages cost from $20 each for 1-10 data packages. It drops to $10 each for purchases of 50-99. For those who want larger numbers of packages, Secureworks has seen auctions where the starting price is $7,000 for the data required to create 40,000 tax profiles.

Auction for tax database details (Image Credit: Secureworks)
Auction for tax database details

Secureworks publishes advice to avoid identity theft

CTU researchers have listed five things that taxpayers can do to minimise the risk of identity theft:

  1. Implement multi-factor authentication for Internet-facing resources that store financial information, personally identifiable information (PII), and corporate or personal email addresses.
  2. Protect customers data with up-to-date secure encryption.
  3. Train employees to recognize and report phishing attempts that use email or malicious advertisements to try to steal sensitive information.
  4. Institute processes to verify the legitimacy of requests for PII, financial information, or account updates by using previously established out-of-band channels such as the telephone.
  5. Dispose of sensitive information securely (e.g., shredding paper documents).

It has also said that victims should report any incidents to the IRS and credit agencies quickly to limit the damage.

Enterprise Times: What does this mean

Identity theft has been on the increase for some time. In the current pandemic, it is not surprising that this crime is seeing a substantial rise. Those who have limited Internet access or who are not security-aware are often easy victims.

This is exacerbated by the IRS admitting to sending out stimulus checks to people who have recently died. Attackers will be looking to exploit that particular issue. One way is to monitoring hospitals and care homes to get the names of those who have died. It allows them to make fake returns before the IRS updates its records. This is made worse for relatives who have not only lost a family member, but from whom the IRS will try and recover the money.

Protecting against identity theft is not that easy today. However, the steps outlined above by the CTU researchers provide a start point. What it excludes is the monitoring of credit agency reports and using identity theft protection schemes. While not all of the latter are effective, they do provide some warning that something is amiss.


Please enter your comment!
Please enter your name here