Amidst Rising Tax Refund Fraud, Consumers Need Better Dark Web Intelligence

Cybercrime Intelligence

Tax Fraud, Dark WEBINT, ATO, Carding, P2P, IDProtect

Amidst Rising Tax Refund Fraud, Consumers Need Better Dark Web Intelligence

A recent study commissioned by financial industry consultants Javelin Strategy and Research estimated that 15 million U.S. consumers had their identities stolen last year, amounting in $24 billion in losses. Javelin also found that identity fraud scams that involved direct contact with victims by criminals totaled $28 billion in losses and victimized 27-million consumers in the U.S.

ID fraud scams are on the rise largely due to the pandemic’s disruption of consumer behavior, spawning a mass-migration to digital-first commerce, banking, and payments.

Some of the that the most common illicit actions performed by scammers after a successful account takeover (ATO) attack, are fraudulent credit card transactions (carding), peer-to-peer (P2P) transfers via mobile payment apps and altering victim’s contact information. In the wake of the Russia-Ukraine war, fraud intelligence specialists Gemini Advisory have assessed that carding risks will increase.

The “current political and socioeconomic dynamics occurring within Russia indicates that these dynamics are creating conditions conducive to an increase in card fraud by Russia-based actors,” said a recent Gemini report. Gemini emphasized that "members of Russia’s large and highly skilled IT community to supplement or replace lost income through cybercrime, including the compromise and sale of payment cards.” Beyond the persistent threat of card-enabled ID theft, Tax-related identify theft is becoming an increasingly attractive scam for threat actors.

This ID theft typology entails the illicit use of people’s names, addresses, stolen social security numbers, and business EINs to file fraudulent tax returns claiming refunds from the Internal Revenue Service.

“No longer a petty crime of opportunity perpetrated by unorganized criminals and unscrupulous tax preparers,” according to the IRS, “tax-related identity theft evolved into a major enterprise by well-funded, technically sophisticated national and international criminal syndicates.” In addition to their expertise in data theft, these cybercriminal networks also possess the “tax savvy” to file convincing refund requests, making this attack vector a particularly lucrative and insidious threat.

A recent study by IPX1031, a qualified intermediary service provider that facilitates the exchange of business investment properties, found that tax-related ID theft reports have surged by 45% since the pandemic struck. The surge of tax-enabled ID theft may explain why attacks targeting consumers aged 55 and older are older are on the rise, bucking the general trend line, according to Aite Group. This demographic is generally better ensconced in terms of wealth accumulation and naturally make more appealing targets for cybercriminals.

With stolen data often being trafficked and monetized on dark web cybercriminal forums, American consumers and especially the older cohort noted above need to be alert to the threat of the digital underworld. The following article will explain the mechanics of the dark web economy, how to mitigate ID theft risks, and the value proposition posed by full-spectrum web intelligence (WEBINT) for high-net-worth individuals, families, and taxpayers in general.

The Dark Web Economy

With cyberattacks rising every year, stolen personal identifying information (PII) is one of the most commoditized product offerings on the dark web. Across the cybercriminal forum ecosystem, which is accessible on the surface web for some communities, and only via dark net onion sites for more exclusive venues, there is no shortage of stolen PII being solicited by cybercriminal threat actors. Take this recent example from the Breached open-web forum below. On September 12, user ‘papurus’ posted a solicitation for “American data - USA: FULLZ:SSN:DL”.

In hacker parlance, ‘Fullz’ refers to a robustly dimensional data set that includes all the general attributes needed by fraudsters to successfully assume a victim’s or multiple victims’ identity. In this case, the Fullz set includes users’ social security number (SSN), driver’s license digits, home address, email address, birth data, bank account number, and routing number.

Assuming this posting isn’t a scam, which illicit PI buyer’s must also be on alert for given the types of people they are doing business with, this dataset offers cyber-fraud actors viable levels of ‘depth’ to effectively take over a victim’s account.

In the posting below, threat actor ‘jalbes’ is also advertising stolen PII, recently posting a solicitation on the XSS/Damage Lab cybercriminal forum with the following title: “Selling Fullz with 700+ CS and BG report”. In the case ‘CS’ and ‘BG’ represent credit score and background check, respectively. Illustrating the potential quality of the data being fenced, are the high credit scores with CS between the ranges in the 700-750 range going for $6, 750-800 for $8, and 800+ fetching for $12 per Fullz data set.

In this posting threat actor "fullzhouse" posted a solicitation on the Exploit cybercriminal forum in July titled "[HQ] Trusted fullz with CS and CR". CR is shorthand hand for credit reports. "Today I bring you fullz profiles with Credit Score and Credit Reports in PDF," writes the threat actor. "CS number, price and CR file included. Don't ask for details - everything is sold as is. Get it or leave it," continues the posting.

Even more attractive for carders than these Fullz data sets, would be information about the digital fingerprints associated with a prospective victim, including IP address, browser type, device indicators, and at least a hundered other unseen metadata identifiers routinely scraped by online tracking cookies and adtech firms. For cybercriminals, these identifiers are critical to bypass more sophisticated vendor’s anti-fraud technologies, which are equipped to scrape user data at the most granular level.

But when it comes to the more traditional Fullz PII that is used by cyber-tax-fraudsters to scam refunds from the IRS, this generally sells for $8 per record, as seen in the XSS post above, with price increasing based on a victim’s creditworthiness. Meanwhile, stolen credit card data fetches for $17.36 per account, according to consumer research firm comparitech. Fraud data buyers purchase stole PII records in bulk to cast as wide a victim net as possible. For tax-enabled ID theft scammers especially, all they need its one whale to make a good score.

On that note, threat actors today are even advertising “US DB &Full Admin access to tax consultancy for proffesionals...."e-file. Authorize, ssn, all contact infospouse”. See the Exploit posting below by cybercriminal ‘drlogin,’ promising a “very Special DB with Full Admin access to tax consultancy include banks data for tax refund able to edit.” In this context DB stands for database.

ID Theft Risks

When it comes to PII theft, every online user who has submitted their SSN or other data on a digital form is at risk. As we have seen in the era of zero-trust security, a philosophy that instructs cybersecurity practitioners that no system, data packet, user, or digital asset, in general, can ever be fully trusted, any IT network can be penetrated and compromised.

According to credit-reporting agency Equifax people at heightened risk for ID theft include those who repeat online passwords, users that allow their financial data to be easily accessible to others, people who regularly carry their SSN card on their person, individuals who promiscuously open and click on links from unknown or unfamiliar senders in their email inboxes or text messages, and those who don’t regularly review their financial statements and credit reports.

Another risk factor to be alert for is not shredding any documents that contain their PII before disposing of them in the trash, although “trashing,” a practice where threat actors used to literally rummage through a target’s garbage trying to obtain some data artifact of monetizable value is much rarer in this generation. Consumers should also be aware that the holiday shopping season has always invited the highest levels of ID theft risk due to increased spending online and in-store, though the latter is less popular today.

The Value of Protective Dark WEBINT

To mitigate the threats posed tax-fraud-enabled ID theft or and other type of attack facilitated by stolen PII, consumers should engage a specialized service provider with expertise in collecting dark-web intelligence. In simple terms, this discipline entails the use of artificial intelligence to crawl continuously and autonomously, scrape, and flag cybercriminal forum postings for PII data leaks.

Human analysts then evaluate postings for authenticity before purchasing Fullz data dumps from threat actors. From there, fraud data is parsed and ingested into vendor systems, which then notify customers if their information has been flagged as stolen. Industry-leading dark WEBINT solutions will be able to absorb, scale, and process threat data at planetary scale and nanosecond speed providing risk alerts that are accurate, timely, and reliable to end customers.

What’s more, a more high-dimensional monitoring solution will expand the universe of source environments from the global surface web to the forums and social media platforms that comprise the deep web, and the more specialized dark web.

A proficient cyber-threat intelligence provider will have deep expertise in dark web investigations, and access to a specialized, high-reputation black hat source network that can help their analysts discover the latest illicit marketplaces where breach data is being trafficked.

Fusing a unified platform of integrated cybersecurity, threat intelligence, and risk management solutions for individuals and enterprises, Resecurity is a service provider that consumers can trust. Resecurity’s recently launched IDProtect SaaS application helps HNW individuals, families, and everyday consumers achieve greater certainty in their digital security posture.

This device-and-platform-agnostic solution provides users with actionable risk alerts, including early breach warnings and threat-intelligence notifications, global coverage spanning millions of deep and dark web data points, and always-on 24/7 customer support.

Learn more about how IDProtect can help you mitigate the risk of tax-enabled ID theft this filing season today.


Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture
445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form.
Try Resecurity products today with a free trial