In All Probability Compromised Endpoints Will Have Started The IRS Hack – Charles Leaver

By | February 22, 2016

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Because of Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Classic attacks today involve phishing emails intended to get preliminary access to target systems where lateral movement is then performed until data exfiltration takes place. But the IRS hack was various – much of the data needed to perform it was already obtained. In this case, all the hackers needed to do was walk in the front door and submit the returns. How could this happen? Here’s exactly what we know:

The Internal Revenue Service site has a “Get Transcript” function for users to obtain previous tax return info. As long as the requester can supply the right details, the system will return past and current W2’s and old tax returns, etc. With anybody’s SSN, birth date and submitting status, the attackers might start the retrieval process of past filing year’s information. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the asked for users credit report.

KBA isn’t fool proof, though. The questions it asks can oftentimes be predicted based on other details already learned the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the list of automobiles have you owned?”

After the dust settled, it’s predicted that the hackers attempted to gather 660,000 transcripts of past tax payer information through Get Transcript, where they achieved success in 334,000 of those efforts. The unsuccessful efforts appear to have actually gotten as far as the KBA questions where the hackers cannot provide the proper answers. It’s estimated that the attackers got away with over $50 million dollars. So, how did they do it?

Security researchers think that the assailants utilized info from previous attacks such as SSNs, DOBs, addresses and submission statuses to try to get previous tax return details on its target victims. If they succeeded and addressed the KBA questions correctly, they submitted a claim for the 2015 calendar year, often times increasing the withholdings amount on the tax return form to get a larger return. As pointed out formerly not all attempts achieved success, however over 50% of the attempts resulted in major losses for the Internal Revenue Service.

Detection and response services like Ziften are aimed at recognizing when there are compromised endpoints (such as through phishing attacks). We do this by supplying real time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the cyber attackers utilized information obtained from previous attacks beyond the Internal Revenue Service, the jeopardized businesses could have gained from the visibility Ziften provides and alleviated against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of initial victim – of these attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *