Scammers, profiteers, and shady sites? It must be tax season

US tax season is upon us, a time of the year when a special kind of vermin comes crawling out of the woodwork: tax scammers! Not that their goals are any different from any other scammers. They want your hard-earned dollars in their pockets.

Most of the tax-related attacks follow a few tried and true methods: A phishing email or scam call from someone purporting to be from the IRS, or an accountant offering to help you get a big refund. With all the financial and personal data to be had, it’s a time to keep a close eye on who you give your details to.

Below you is a real example you can use as a guide to the things you need to consider if you decide to use an online tax filing service.

Online tax services

This blogpost was triggered by a web push notification I got from a search hijacker from the SearchDimension family I was investigating. Many search hijackers in this family also use notifications, which qualifies them as adware.

web push notification

It’s not that I recognized the form displayed in the notifications, but I knew the notification would likely be aimed at US users of the extension I was investigating since I had set my VPN to New York.

Malwarebytes Privacy

Anyway, the thought of someone providing their financial status and personal data to a website that was advertized in this manner gave me the creeps.

The website

The full URL behind the “Click Here” field was:

https://www.e-file.com/offer.php?utm_medium=affiliate&utm_source=cake&utm_campaign=intango&utm_content=2648&pid=&utm_term=84733016804____&utm_medium=affiliate&lctid=&lcid=

The items after the question mark are Google Analytics campaign tracking parameters that help a website understand where its traffic is coming from. In this case the site appears to be using them so it can attribute traffic to different affiliates (presumably so the site knows how much to pay them).

A click on that link in the notification brought me to this site:

e-file.com website

Note that I went from free to a 30% discount in just one click. A bad start! Some digging revealed that the domain e-file.com originally belonged to a record shop called “Vinyl Junkie.” The internet archive has a first snapshot dating back to October of 2000. In 2005 the domain had switched to an outfit selling software to organize and store files. The first snapshot promoting an online tax filing service shows up in 2010.

Phishing sites tend not to hang around that long, so while the domain’s history is certainly interesting, it is not in itself a bad sign.

Affiliates

Another interesting piece of information can be found in the page about their affiliate program.

e-file.com affiliates program

There is no indication that e-file is using search hijackers itself. In this case it seems as if an affiliate is, and e-file may not know that it has an affiliate doing that. But offering the most aggressive payouts (“double what many of our competitors pay!”), even when the customer does not spend any money, is exactly what attracts the most obnoxious advertisers on the web.

We asked Dr. Fou of FouAnalytics to have a look at the affiliate program details and the notification I clicked on, and this is what he told us:

Anyone running or using affiliate programs to drive more leads and sales should carefully review who is sending the links, leads, and sales. This is clearly an example of scammers taking advantage of an affiliate program and using shady techniques to get paid. They are trading off of your good name, and consumers will think you scammed them. This is just like malvertising that happens on mainstream publishers’ sites; the consumers think the publisher compromised their device because they didn’t realize the malicious code came in through an ad served into the page.

Reviews

One way to find out more information about a company or site is to look for reviews from other users. When we did this for e-file.com and found many complaints that might indicate that their services are not always as free as they claim.

e-file.com review

Other reviews speak of missed opportunities for a refund and a lack of service. Bad reviews aren’t proof of wrong doing though, and you may say: “OK, what did you expect from a free service?” If a service is offered for free, but it still promises to pay its affiliates high rates, that money is coming from somewhere.

Speaking for myself, I am not sure a free service is how I would try to save money in tax season.

ID theft

We are not accusing e-file of being up to no good, but one of its affiliates is. And they are not the only ones trying to make a quick buck from you in tax season. Chief among them are ID thieves.

Scammers like tax season because people don’t like tax, many are baffled by it, lots of people will be in a hurry or looking for ways to make it easier, and in they end they will have to hand over a lot of personal information.

For those that have no idea what information you do (and don’t) need to provide when you file your taxes, here is a pretty extensive list. Remember that a social security number, birth date, and a bank account number is all the information a cyber-criminal needs to perform identity theft. And the consequences of that theft can be devastating. Identity theft is not to be taken lightly. It can take years to recover from and be very costly. A good resource for information about it is the ITRC.

So, it is wise to do some research before you trust any website with your personal details (and not just those that help with your tax).

And even if a service is legitimate, you should consider how secure your data will be if you entrust it to them. If the data gets exposed in a breach, the result for you is practically the same as if it had been sold anyway.

You can find more general tips to stay safe in tax season in our blogpost Coughing in the face of scammers: security tips for the 2020 tax season.

Stay safe, everyone!

The post Scammers, profiteers, and shady sites? It must be tax season appeared first on Malwarebytes Labs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source