Monthly Archives: February 2017

IRS Cautions of New W-2 Phishing Scam

Tax season is upon, which means time for the Internal Revenue Service (IRS) to release its “Dirty Dozen” scam list for 2017. This annual list features numerous schemes taxpayers may encounter throughout the year, but mostly occur during tax season.

It is no surprise that phishing scams are at the top of the list. Earlier this month, the IRS warned about a very refined and evolving W-2 scam that is targeting school districts, corporations, hospitals, nonprofits and regular taxpayers. According to the IRS, this particular phishing scam is not an IRS impersonation, but instead scammers are sending an email to a company’s payroll department as a company executive. The email requests a list of employees and their W-2 information, which gives the scammer access to the employees’ personal and tax information.

IRS Commissioner, John Koskinen, commented, “this is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

According to the IRS website, the list also includes:

  • Phishing: Fake emails or websites that attempt to steal personal information.
  • Phone Scams: Calls from criminals pretending to be IRS agents.
  • Identity Theft: Criminals file fraudulent returns using a stolen Social Security number.
  • Return Preparer Fraud: Be aware of dishonest return preparers.
  • Fake Charities: Be aware of criminal groups acting as charitable organizations to receive donations from innocent contributors.
  • Inflated Refund Claims: Taxpayers should be wary of anyone promising inflated refunds.
  • Excessive Claims for Business Credits: Avoid claiming the fuel tax credit, a tax benefit usually unobtainable to most taxpayers.
  • Falsely Filling Deductions on Returns: Avoid the temptation to falsely raise deductions or expenses on their returns to pay less than what they owe or possibly receive greater refunds.
  • Falsifying Income to Claim Credits: Don’t let scammers talk you into inventing income to invalidly qualify for tax credits, like Earned Income Tax Credit.
  • Abusive Tax Shelters: Don’t use abusive tax structures to dodge paying taxes.
  • Frivolous Tax Arguments: Don’t use frivolous tax disputes to avoid paying taxes.
  • Offshore Tax Avoidance: Money and income in offshore accounts is becoming more and more heavily enforced.

Koskinen advises people to avoid opening emails or clicking on websites stating to be from the IRS. He goes on to remind that if it sounds too good to be true it probably is. In addition to Koskinen’s advice, cybersecurity expert, Vinny Troia, CEO of NightLion Security adds, “cyber criminals are getting smarter. Make sure you’re using strong, tricky passwords to protect your personal information and networks. All sensitive information should be backed up with two-step authentication, which helps prevent cyber criminals from hacking into a system. Be completely sure your network has no vulnerabilities these hackers can exploit; my team offers 24/7 emergency service to companies who have been exploited.”

Click here to view the full “Dirty Dozen” list.

Banks, Globally, Attacked by Fileless Malware

Banks around the world are being infected with a new form of fileless malware. This type of malware is invisible, as it lies undetected within the memory of a bank’s network gathering passwords and administrative information. The malware then feeds this data back to the hackers, who use it to control the bank’s computer system remotely.

According to Kaspersky Lab, who discovered the new form of malware, there have been reports of this malware at 140 different enterprises in 40 different countries throughout the globe, including: banks, telecoms and government institutions. The United States being hit the hardest with 21 reported incidents.

“What is interesting here is that these attacks are ongoing globally against banks themselves,” said Kaspersky Lab expert Kurt Baumgartner to Ars Technica late last week. Baumgartner went on to explain, “the banks have not been adequately prepared in many cases to deal with this.”

Fileless malware attacks are becoming more common than anyone imagined, which is why cyber security has become such an important tool. Digital Forensic Firms, such as,  NightLion Security, offer malware detection and removal with 24/7 service. Vinny Troia, CEO of the St. Louis Digital Forensics Firm, commented that banks are being targeted because they do not have the proper security in place to protect them against this type of invisible malware distribution.

Kaspersky Lab is unsure who is behind the attack or if it is more than one group using the same tools. They plan on releasing their findings later today.

Whoever is behind these attacks is focusing on computers that run automatic teller machines and “pushing money out of the banks from within the banks,” explains Baumgartner. He goes on to say that many of these attacks varied in the way they were executed, which is why they think numerous groups could be involved.

Gmail Forbids JavaScript Attachments

As of February 13, Gmail is no longer allowing emails to be sent with a JavaScript attachment. Gmail restricts numerous file attachments for security purposes and now .js files have been added to the list.

“JavaScript files have been the main source of malware viruses within the past few years”, says NighLion Security CEO Vinny Troia. This is exactly why Google has begun forbidding .js attachments.

That being said, Gmail users should keep in mind that malware can be found within other file attachments that are not yet a part of Gmail’s restricted list. According to iTech Post, Malware is being reported to have switched from using JavaScript to SVG attachments and malicious LNK. The malware is being embedded into ZIP archives with malicious PowerShell scripts attached.

Per security experts, PowerShell is a scripting language in the Windows system used for automated administration tasks. These scripts have been used to download malware in the past, and some malware programs are written entirely in PowerShell.

Regardless of this malware switch, by blocking emails with JavaScript attachments Gmail is eliminating one of the main sources of malware transportation. Nonetheless, if you need to send a .js file for a legitimate purpose, you can do so using Google Drive, Google Cloud Storage or other types of storage solutions.

A good rule to live by is if you don’t know a file type or what it does, don’t open it.

Google Ordered to Deliver Foreign Emails

A United States judge ruled that Google must surrender customer emails stored on servers outside of the U.S. on February 4. The ruling comes just months after Microsoft received an opposite verdict in a similar case.

United States Judge, Thomas Rueter, ordered Google to adhere to the FBI search warrants. The judge claimed that transferring the emails from a foreign server to the U.S. would have “no meaningful interference” with Google’s “possessory interest” in the requested information.

“Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States,” Rueter ruled.

 Google used Microsoft’s ruling as a precedent, and stated they had cooperated with the FBI’s warrants turning over the data requested that Google knew was stored in the U.S.

The issue, for both Google and Microsoft, stems to the Stored Communications Act. a 1986 federal law that restricts publication of wire and electronically stored information held by Internet Service Providers. A law that many technology companies and privacy advocates regard as outdated.

This case is not over yet, Google plans to appeal the ruling. Releasing a statement saying, The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants.”

IHG Announces Full List of Properties in Credit Card Breach

InterContinental Hotel Group (IHG), parent company of Crowne Plaza and Holiday Inn, announced its full list of properties impacted by the credit card breach last year. According to IHG, between August 2016 and December 2016 malware was found on its servers used to process credit cards. For a full list of IHG’s impacted properties click here.

According to IHG’s report, “Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties. Cards used at the front desk of these properties were not affected.”

The report goes on to say the malware searched for track data, including: cardholder name, card number, expiration date, and internal verification code, which was taken from the magnetic stripe of the card as it was being transmitted through the affected server.   

Malware has been the source of most of the credit card breaches in recent years. It is usually installed by hacked remote administration tools, according to KerbsOnSecurity. Once the malware is installed onto the devices the attacker can remotely gather data from each card swiped on that device. The stolen data can then be embedded on any card with a magnetic stripe and used for purchases.

IHG has been working with security firms to review their current security policies, confirm that the affected servers have been remediated and evaluate how to enhance their security.“We have also notified law enforcement and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards,” Says IHG.

The investigation is ongoing and no one knows the actual scope of this breach.

If you were a patron at any of the affected areas during August 2016 to December 2016, please watch your credit card statements carefully and report any fraudulent charges to your credit card company immediately.