Tax Scams. PHOTO: Cybercrime Magazine.

IRS Tax Deadline Fraud: ’Tis the Season to Be Wary

Web properties masquerade as the Internal Revenue Service

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Apr. 11, 2022

Tax-related scams and cybercrime aren’t new, but we know threat actors are not after novelty — they want money. In their annual report for 2021, the Internal Revenue Service (IRS) Criminal Investigation recorded the amount lost to tax fraud at US$2.19 billion. That amount includes the identity theft and tax refund fraud loss.

As the 2022 tax season draws to a close — the deadline is set on Apr. 18 — tax-related malicious activities may intensify. The Domain Name System (DNS) gave us a glimpse of this possible escalation.

We found several tax-related domains and subdomains that threat actors could mobilize as vehicles for phishing and credential theft at any time. Some of the cyber resources are dormant (i.e., parked and inactive), while others are live and host questionable content. You may download the complete list of tax-related domains and subdomains, along with other data points, from our website.

Don’t Give Your Tax Details to the Wrong Taxman

Threat actors behind tax-related fraud incidents often steal the identities of legitimate taxpayers so they can claim tax refunds and receive other government payments in their stead. The first step is to obtain taxpayer details through phishing and similar activities.

Since the beginning of the year, we have seen more than 1,600 domains and subdomains that could be used in tax-related credential theft campaigns. Alarmingly, 12 percent of these properties have already been flagged as malicious by several malware engines. Threat actors have already weaponized them.

Several of the web properties begin with the string “irs,” likely in an effort to masquerade as the tax collection agency. Here are a few examples:

  • irs-gov-return-tax[.]com
  • irs-usa-profiletax[.]com
  • irs-home-taxservices[.]com
  • irs-profile-tax-reliefs19[.]com
  • irs-profilegov[.]com
  • irs-informations-payroll-gov[.]com
  • irs-profile-refund-homepage[.]com
  • irs-profile-refund-information[.]com

Accessing these domains may no longer be possible since common computer security programs block malicious properties. But that doesn’t mean they have all been taken down. In fact, a few of the malicious domains still host or redirect to web pages that host legitimate-looking content, such as:

And how about the digital properties that haven’t been reported at the time of writing?

Several of the tax-related cyber resources we gathered shared the same characteristics as the malicious ones. Dozens even share the same IP addresses and host the same type of content, including those that were exact replicas of the official IRS website. Here are some screenshots as of Mar. 23, 2022:

Others are more straightforward and directly asked visitors to provide their details, such as:

Unmasking IRS Impersonators

Government agencies, financial institutions, and the cybersecurity community endlessly warn individuals and entities against tax-related fraud, phishing campaigns, and other cybercrime. These efforts are best supplemented with proactive cyber defense — teach security solutions to strip down tax-related resources and expose their origins, connections, and infrastructure. Domains that share the characteristics and infrastructure of confirmed threats should thus be treated with suspicion.

We cite one group of domains from our study as an example. There are 45 tax-related domains and subdomains in this group, each resolved to the same IP address — 162[.]240[.]46[.]188. Ten domains have already been flagged as malicious, while the others are deemed safe to access. But as you can see in the table below, several of the domains and subdomains in the group use the same text strings.

Some subdomains also had the same root domain so they shared similar WHOIS records. They also used the same privacy redaction method, nameservers, and registrar.

Waiting for threat actors to mobilize suspicious cyber resources would be like setting our own traps. Any of them can lure our relatives, neighbors, employees, accountants, and many others into providing sensitive information to the wrong taxman.

WhoisXML API’s WHOIS and DNS intelligence can uncover and attribute suspicious domains related to NFT and other mechanisms favored by scammers. Contact us for more information.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds.  WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.