The Dirty Dozen Tax Scams of 2008

The IRS has been in the news recently because it's name has been impersonated (spoofed) to phish personal and financial information from people tricked into believing the IRS was going to send them money.

Another recent phishing lure spoofing the IRS name was the upcoming economic stimulus package being promised to the tax paying public. In this case, (too good to be true) promises of money were being sent out by spam spewing zombie computers before the details were finalized in the halls of Congress.

These spam spewing zombie computers are part of a botnet. Botnets are controlled by bot-herders, who are known to rent their services to a wide variety of Internet misfits. Bot-herders often use their botnets to commit criminal activity themselves, also.

Zombie computers are created after their owner clicks on a link in a spam e-mail containing malicious software engineered to take control of their system. In the recent past, there have even been examples of malware being injected into a system after just visiting an infected site.

Please note that most of these phishing ploys are designed to clean out your bank account, run up your credit cards, and or allow a criminal to use your good name to obtain additional lines of credit. The fact that they often turn your computer into a zombie is considered an add-on value to the criminal, who can then use your system to deliver spam (scams) to other unsuspecting people.

Today, the IRS issued it's yearly Dirty Dozen Tax Schemes. Since Internet scammers have been so fond of using the IRS's name, I thought this would be a good subject to blog about.

Please note that from time to time, I get anonymous inquiries about where to report tax fraud in the comments section. I've included information oh how to do this at the bottom if this post.

The IRS is sometimes willing to pay a reward for information leading to the successful resolution of an investigation. Your identity is protected if you choose to remain anonymous, also.

From the press release:

The Internal Revenue Service today issued its 2008 list of the 12 most egregious tax schemes and scams, highlighted by Internet phishing scams and several frivolous tax arguments.

Topping this year’s list of scams is phishing, which encompasses numerous Internet-based ploys to steal financial information from taxpayers. New to the “Dirty Dozen” this year is a scheme, which IRS auditors discovered, that relates to unreasonable and/or excessive fuel tax credit claims.

Here is the Dirty Dozen hot off the official press release:

1. Phishing

Phishing is a tactic used by Internet-based thieves to trick unsuspecting victims into revealing personal information they can then use to access the victims’ financial accounts. These criminals use the information obtained to empty the victims’ bank accounts, run up credit card charges and apply for loans or credit in the victims’ names. Phishing scams often take the form of an e-mail that appears to come from a legitimate source. Some scam e-mails falsely claim to come from the IRS. To date, taxpayers have forwarded more than 33,000 of these scam e-mails, reflecting more than 1,500 different schemes, to the IRS. The IRS never uses e-mail to contact taxpayers about their tax issues. Taxpayers who receive unsolicited e-mail that claims to be from the IRS can forward the message to a special electronic mailbox, phishing@irs.gov, using instructions contained in an article titled “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes.” Remember: the only official IRS Web site is located at www.irs.gov.

2. Scams Related to the Economic Stimulus Payment

Some scam artists are trying to trick individuals into revealing personal financial information that can be used to access their financial accounts by making promises relating to the economic stimulus payment, often called a “rebate.” To obtain the payment, eligible individuals in most cases will not have to do anything more than file a 2007 federal tax return. But some criminals posing as IRS representatives are trying to trick taxpayers into revealing their personal financial information by falsely telling them they must provide information to get a payment. For instance, a potential victim is told by phone or e-mail that he or she is eligible for a rebate but must provide a bank account number (or similar information) to get the payment. If the target is unwilling, the victim is then told that he cannot receive the rebate unless the information is provided. Individuals should remember that the only way to get a stimulus payment is to file a 2007 tax return. The IRS urges taxpayers to be extra-vigilant. The IRS will not contact taxpayers by phone or e-mail about their stimulus payment.

3. Frivolous Arguments

Promoters of frivolous schemes encourage people to make unreasonable and unfounded claims to avoid paying the taxes they owe. Most recently, the IRS expanded its list of frivolous legal positions that taxpayers should stay away from. Taxpayers who file a tax return or make a submission based on one of these positions on the list are subject to a $5,000 penalty. The most recent update of the list of frivolous positions includes: misinterpretation of the 9th Amendment to the U.S. Constitution regarding objections to military spending, erroneous claims that taxes are owed only by persons with a fiduciary relationship to the United States, a nonexistent “Mariner’s Tax Deduction” related to invalid deductions for meals and the misuse of the fuel tax credit (see below). The complete list of frivolous arguments is on the IRS Web site at IRS.gov.

4. Fuel Tax Credit Scams

The IRS is receiving claims for the fuel tax credit that are unreasonable. Some taxpayers, such as farmers who use fuel for off-highway business purposes, may be eligible for the fuel tax credit. But some individuals are claiming the tax credit for nontaxable uses of fuel when their occupation or income level makes the claim unreasonable. Fraud involving the fuel tax credit was recently added to the list of frivolous tax claims, potentially subjecting those who improperly claim the credit to a $5,000 penalty.

5. Hiding Income Offshore

Individuals continue to try to avoid paying U.S.taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore debit cards, credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance plans. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions.

6. Abusive Retirement Plans
The IRS continues to uncover abuses in retirement plan arrangements, including Roth Individual Retirement Arrangements (IRAs). The IRS is looking for transactions that taxpayers are using to avoid the limitations on contributions to Roth IRAs. Taxpayers should be wary of advisers who encourage them to shift appreciated assets into Roth IRAs or companies owned by their Roth IRAs at less than fair market value. In one variation of the scheme, a promoter has the taxpayer move a highly appreciated asset into a Roth IRA at cost value, which is below annual contribution limits even though the fair market value far exceeds the amount allowed.

7. Zero Wages

Filing a phony wage- or income-related information return to replace a legitimate information return has been used as an illegal method to lower the amount of taxes owed. Typically, a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 is used as a way to improperly reduce taxable income to zero. The taxpayer also may submit a statement rebutting wages and taxes reported by a payer to the IRS. Sometimes fraudsters even include an explanation on their Form 4852 that cites statutory language on the definition of wages or may include some reference to a paying company that refuses to issue a corrected Form W-2 for fear of IRS retaliation. Taxpayers should resist any temptation to participate in any of the variations of this scheme.

8. False Claims for Refund and Requests for Abatement

This scam involves a request for abatement of previously assessed tax using Form 843, “Claim for Refund and Request for Abatement.” Many individuals who try this have not previously filed tax returns. The tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses Form 843 to list reasons for the request. Often, one of the reasons given is "Failed to properly compute and/or calculate Section 83-Property Transferred in Connection with Performance of Service."

9. Return Preparer Fraud

Dishonest tax return preparers can cause many problems for taxpayers who fall victim to their schemes. These scam artists make their money by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Some preparers promote the filing of fraudulent claims for refunds on items such as fuel tax credits to recover taxes paid in prior years. Taxpayers should choose carefully when hiring a tax preparer, especially one who promises something that seems too good to be true.

10. Diguised Corporate Ownership

Some people are going as far as forming domestic shell corporations in certain states for the purpose of disguising the ownership of a business or financial activity. Once formed, these anonymous entities can be used to facilitate underreporting of income, non-filing of tax returns, engaging in listed transactions, money laundering, financial crimes and even terrorist financing. The IRS is working with state authorities to identify these entities and to bring the owners of these entities into compliance.

11. Misuse of Trusts

For years, unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

12. Abuse of Charitable Organizations and Deductions

The IRS continues to observe the misuse of tax-exempt organizations. Misuse includes arrangements to improperly shield income or assets from taxation, attempts by donors to maintain control over donated assets or income from donated property and overvaluation of contributed property. In addition, IRS examiners are seeing an upturn in instances where taxpayers try to disguise private tuition payments as contributions to charitable or religious organizations.

As promised above, here is how you can report one of these scams:

Suspected tax fraud can be reported to the IRS using IRS Form 3949-A, Information Referral. Form 3949-A is available for download from the IRS Web site at IRS.gov. The completed form or a letter detailing the alleged fraudulent activity should be addressed to the Internal Revenue Service, Fresno, CA 93888. The mailing should include specific information about who is being reported, the activity being reported, how the activity became known, when the alleged violation took place, the amount of money involved and any other information that might be helpful in an investigation. The person filing the report is not required to self-identify, although it is helpful to do so. The identity of the person filing the report can be kept confidential.

Whistleblowers also could provide allegations of fraud to the IRS and may be eligible for a reward by filing Form 211, Application for Award for Original Information, and following the procedures outlined in Notice 2008-4, Claims Submitted to the IRS Whistleblower Office under Section 7623.

Full press release on the 2008 Dirty Dozen Scams, here.

Your computer will not love this Valentine

The Storm Worm, which turns systems into spam spewing zombies without their owner's knowledge is taking a predicted twist and using Valentine's Day as a lure.

Websense is reporting:

Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code. For more details on how we protect against Storm attacks, see http://www.websense.com/securitylabs/blog/blog.php?BlogID=141.

Websense (full) alert with screenshots, here.

Most recently, we've seen the Storm Botnet leased by the phishermen to steal people's personal and financial details.

CNet (Robert Vamosi) did a good write-up on this latest Storm phenomenon, here.

The best way to protect your computer from this (besides having good security software) is to simply "just say delete" to any unsolicited Valentines you receive!

Previous posts I've written about the Storm Worm can be seen, here.

FTC issues report on Malicious Spam and Phishing

The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.

Interestingly enough, it points out that spammers are criminals.

While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?

Here is what the press release had to say:

During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.

The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.

Going deeper into the problem the report discusses a phenomenon called fast flux:

With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.

The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.

Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.

The report also give some statistical information on what this is costing all of us:

A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.

Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.

Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.

Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:

Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.

In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.

The full report can be viewed, here.

Storm Worm bot-herders use scantily clad women in Santa attire to recruit zombies!

Here is a warning from Dancho Danchev about a site that might leave your computer with a worm.

The site invites a person to watch a bunch of scantily clad women in Santa attire for "free."

From the Mindstreams of Information blog:

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

In case you are less than technically astute (a lot of us are) the storm worm has been around for awhile. Wikipedia offers a good explanation of how it will trash a Windows system, here.

Downloading it normally leads to your computer becoming a spam spewing zombie controlled by a bot-herder. Of course, becoming infected also poses certain information theft risks, also.

Full post from Dancho, here.


(Screen shot courtesy of the Mindstreams of Information blog)

Update:

Found some more information on this on the SANS Internet Storm Center, which can be seen, here.

And apparently some splogs have been set up on blogspot to support this current storm on the Internet:

If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)

Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.

IT also appears that the hackers behind this are moving on to New Years lures and a new domain.

Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.

Also reported SANS Internet Report Center, here.

Operation Bot Roast II snares bot herders, worldwide!

Official FBI photo for Bot Roast II (Globe in a laptop)

This morning I read that a teenager in New Zealand had been arrested for allegedly being the kingpin behind an international cyber-crime network.

Because he was a juvenile when the crimes were being committed, the authorities aren't releasing his real name, but on the Internet he is known as "AKILL."

The Associated Press is reporting:

Police arrested the suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said.

Working with the FBI and police in the Netherlands, New Zealand police arrested the 18-year-old in the North Island city of Hamilton, said Martin Kleintjes, head of the police electronic crime center. The suspect's name was not immediately available.

Kleintjes charged that the ring was responsible for stealing at least $20 million using bank account and login details detected by their illegal spyware.

I decided to do a little digging on this and the FBI announced on their site that this is part of Operation Bot Roast II.

It appears that more than a teenager is being taken down for victimizing millions of people, worldwide.

From the announcement on the FBI site:

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.

Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.

The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.

I discovered more information on Operation Bot Roast II in a FBI press release:

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The press release also has detail on the most current arrests:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet's ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey's targets of DDoS often resided on shared servers which contained other customer's data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.

Recently, I did a post, Botnet owner faces 60 years in prison and a $1.75 million fine, which is about about John Schiefer (above).

The amount of damage bot herders have caused millions of people on the Internet is astounding. Even when you consider the amount of spam, the average Internet user has to deal with on a daily basis, these current arrests are good news for the Internet community. Spam is the vehicle in which most scams, misleading advertising and counterfeit goods are spread in the electronic world.

The FBI press release mentioned some great resources where the average person can learn how to avoid becoming the victim of a bot herder.

In closing, I would like to pass them on:

http://www.fbi.gov/
http://www.onguardonline.gov/
http://www.lookstoogoodtobetrue.com/
http://www.uscert.gov/
http://www.ic3.gov/

One not mentioned that is great (my opinion) is http://www.fakechecks.org/. A lot of the scams involving counterfeit checks start with a spam e-mail AND most spam is spread using botnets.

AP article on New Zealand teenage bot herder, here.

FBI press release on Bot Roast II, here.

Krackin software will crack your computer's security!

(Screen shot courtesy of Websense)

Krackin is one place you don't want to try to download music, or videos. The result will be your computer becoming what is known as a zombie, which will be used to spew out spam e-mails, which facilitate Internet fraud.

If you have clicked on this, I highly recommend reading the link in Websense's alert, which I have provided below.

Websense is reporting:

Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see (http://www.websense.com/securitylabs/blog/blog.php?BlogID=141).

This site poses as a new piece of software called "Krackin v1.2" and advertises:

* Easy to install
* Auto-Virus scanning* Mobile Source Downloading
* IP Blocking to Prevent Tracking
* Unwanted User Blocking

Users with unpatched computers are automatically exploited. Users with patched computers are prompted to download and run a file called "kracking.exe" This file contains the Storm payload code.

Websense alert, here.

On a final note, if you are a parent, this would be a good topic to cover with younger family members. From the appearance of the screenshot above, it would likely attract younger users.

FBI roasts a few Bot-Herders, which will free up to a million Zombies

Sick and tired of all the spam filling up your inbox, despite filtering technology that doesn't seem to work very well? If you are, Operation Bot Roast is a story that might catch your interest, or if you are like me, is chicken soup for the soul.

Botnets are a primary cause for the ever increasing levels of spam. Botnets are infected computers that their masters (bot-herders) turn into zombies, spewing out spam e-mails by the millions.

These bot-herders cause a lot of us, a whole lot of grief.

The FBI press release announced yesterday:

They’re called “bot-herders:” hackers who install malicious software on computers through the Internet without the owners’ knowledge. Once the software is loaded, they can control the computer remotely. And once they’ve compromised enough computers, they have a robot network or botnet.

Some botnets are huge: tens of thousands of infected computers. Or more. As a result of Operation Bot Roast, an ongoing and coordinated initiative to disrupt and dismantle these bot-herders, we’ve identified about 1 million computers across the country that have been compromised.

According to the press release, several people have been arrested, including three of the big-time "masters."

Full story from the FBI, here.

Also contained are a lot of useful links on protect yourself -- and of course your computer -- and what to do if you think your computer was turned into a zombie.

Bot-herders have been reported to rent out their illicit networks to organized criminals by the hour.



What your computer must feel like after being turned into a zombie (Courtesy of Wikipedia).