As the tax deadline fast approaches, it is important for us all to be aware of the risks that are posed to us by cyber criminals at this time of year. Whether it be identity theft from tax forms, targeting of tax filing providers, or fraudulent returns, there are a number of ways that the tax system can be exploited for criminal financial gain.
As we do each year, DarkOwl analysts have reviewed the activity of cyber criminals on the dark web and dark web adjacent sites and messaging platforms to highlight some of the activities cyber criminals are participating in.
Fraudsters on the dark web will sell step by step guides on how to conduct specific types of identity fraud. The below advertisement from Telegram is soliciting users to contact an individual to buy a tax refund methodology that allegedly bypasses the ID.ME facial recognition verification method that has recently been implemented by the IRS as a fraud prevention method.
DarkOwl analysts have also noted several instances where the technology vendor, ID.ME, has been targeted on stealer log marketplace websites like 2Easy or Russian Market, which may allow threat actors to access accounts of users for fraudulent purposes, as stealer logs usually contain usernames, passwords and session cookies.
Another Telegram post claims to provide buyers with a guide to obtain a Federal Tax refund claiming to offer advice on what bank account you should cash out to and what method to use. They claim that a refund will be guaranteed.
ID.ME is commonly targeted across the darknet. DarkOwl analysts have observed fraudsters selling phishing admin panels for sites like ID.ME, PayPal, and USPS on Telegram as well, meaning that they are able to collect the data of unsuspecting victims who believe they are adding their credentials to a legitimate site. Access to these accounts could mean that a threat actor is able to steal someone’s identity whether that be for tax fraud or other types of financial fraud.
DarkOwl analysts identified threat actors on the popular carding forum 2crd and found an actor advertising counterfeit identification documents, and also included tax return information and common tax forms which could be used to impersonate an individual. It is unclear if these documents are fraudulent in nature or had been stolen from a legitimate owner.
Similar postings were found on another site, ProCRD, offering W2 forms with a 1040 and full info. These documents are being sold for as little as $10. These appear to be sold as part of Fullz, which is a term used by dark web actors to indicate they have the full information for an individual – this usually includes financial information and identity details to be used to conduct identity fraud or financial crime.
A post on a Telegram channel claimed to have W2 forms, tax returns, and pay stubs for sale as well as credit card numbers, Social Security numbers and other sensitive personal information used to conduct fraud. DarkOwl analysts note this advertisement relates to an automated Telegram bot where one can purchase these illicit items. Telegram bots are an effective way to sell illicit items on Telegram because it maintains a certain level of anonymity between the seller and end user.
Another Telegram advertisement was identified which sells similar products, but notes all of the sensitive documents being sold are from other countries like the UAE and European countries. This highlights that it is not just the US that is subject to this type of fraud.
A third similar example from Telegram is shown below. It is important to note, as shown in all of these examples that tax forms are typically sold with other identity fraud products like fullz, credit card numbers, etc. This allows the fraudsters to be more convincing in their fraudulent activities as they have more information which makes them appear legitimate.
The tax fraud community is considerable on Telegram, a search across DarkOwl’s dark web collection for the mention of “tax refund” on Telegram resulted in nearly 100,000 hits. However, Telegram fraudsters will typically also advertise across the darknet and deep web from sites like Royal or Russian Market to ProCRD or WWH Club – often moving to private messaging on Telegram for security.
Telegram is a major medium/vehicle for all types of identity fraud in 2024 because the platform allows for increased security, anonymity (between sellers and end users), as well as more efficient transactions through automated chat bots, rather than processing transactions directly on a .onion site. DarkOwl analysts therefore identify a large amount of this activity on Telegram but cross over from other dark web sites highlighting that similar communities are active on both.
Many individuals will use services in order to file their taxes, as it often removes some of the stress associated with tax season, and hopefully ensures that you maximize your return. However, these organizations are also targeted at this time of year.
A review of Stealer Logs collected by DarkOwl highlighted several instances in the last several months where credentials for these organizations were stolen. Allowing actors to access sensitive information and conduct fraudulent filings.
There are also Telegram channels which offer buyers the chance to obtain tax refunds through TurboTax.
Ransomware attacks continue to be prevalent in 2024, with many companies subject to attack, one group PLAY, like many other groups, post their victims details on their leak site as well as details about what information they have relating to them.
In almost all of the posts relating to their victims the group claim to have information relating to taxes, likely both the company taxes as well as employees’ details. Some of them also claim to have evidence of tax evasion.
If/when these details are released by the ransomware group that information can be used by other threat actors to conduct other types of fraud.
Tax season is just another thing that can be used by threat actors to commit fraud against individuals and companies. However, financial fraud can be committed at any time of the year and it is important to protect your personal information by practicing good cyber hygiene, do not reuse passwords, and be vigilant to phishing and malvertising campaigns.
Products
Services
Use Cases