Written By Michael Steward And Presented By Charles Leaver CEO Ziften
IRS Hackers Make Early Returns Because of Previous External Attacks
The Internal Revenue Service breach was the most special cyber attack of 2015. Timeless attacks today include phishing e-mails aimed to get initial access to target systems where lateral motion is then carried out up until data exfiltration happens. However the Internal Revenue Service hack was various – much of the data needed to perform it was already obtained. In this case, all the attackers had to do was walk in the front door and file the returns. How could this occur? Here’s exactly what we know:
The Internal Revenue Service website has a “Get Transcript” feature for users to recover previous income tax return information. As long as the requester can offer the appropriate information, the system will return past and present W2’s and old income tax returns, and so on. With anybody’s SSN, Date of Birth and submitting status, the hackers might begin the retrieval process of past filing year’s details. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based upon the asked for users credit report.
KBA isn’t really fool proof, though. The questions it asks can many times be guessed based upon other information already known about the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the list of cars have you owned?”
After the dust settled, it’s estimated that the hackers tried to gather 660,000 transcripts of previous tax payer information by means of Get Transcript, where they succeeded in 334,000 of those efforts. The not successful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot offer the correct responses. It’s estimated that the hackers made away with over $50 million dollars. So, how did they do it?
Security researchers theorize that the hackers utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to try to get prior income tax return info on its target victims. If they succeeded and answered the KBA questions correctly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to get a larger return. As pointed out previously not all attempts succeeded, however over 50% of the attempts resulted in significant losses for the Internal Revenue Service.
Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (such as through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the cyber attackers utilized info gleaned from previous attacks outside of the Internal Revenue Service, the compromised businesses might have benefited from the visibility Ziften offers and reduced against mass-data exfiltration. Ultimately, the Internal Revenue Service seems to be the vehicle – rather than preliminary victim – of these cyber attacks.