Over the past two months, Akamai's threat research team has been closely monitoring a phishing campaign that impersonates the official Internal Revenue Service (IRS) website, and is requesting sensitive information, email addresses, and passwords.
Figure 1: IRS phishing website
According to Akamai's research, this campaign used at least 289 different domains and 832 URLs over 47 days. The same fake IRS login page was used in each instance. Moreover, according to Akamai's visibility into global network traffic, the campaign targeted over 100,000 victims worldwide.
The campaign activation, as seen in figure 2, happened mainly in the second half of August and is marked by the first time each domain was accessed. The number of victims, as derived from the activated domains, reached its peak on the days following activation towards the end of August.
Figure 2: IRS phishing website activation with number of victims over time
While the majority of the campaign took place in late August, we can observe new websites being activated periodically over the course of the 47 days.
A closer look into the content of each domain (Figure 3) reveals that they had identical visual cues. This means the basic look of the IRS website is the same, but it's clear the threat actors are customizing parts of each page. This evasion technique is used with the hope that the landing page itself will remain undetected by security vendors using signature detection to spot phishing attempts.
Some of the content changes looks as if was randomly generated, meaning an automatic process was involved in the content generation.
Figure 3: HTML content of two different IRS phishing domains
According to Akamai's research, the majority of the domains hosting the IRS phishing pages are compromised websites.
By analyzing the activity of the IRS phishing domains, we see the majority of them were active for fewer than 20 days (out of the 47 days that were monitored). Yet, a significant number of domains were active even after one month. The lack of maintenance on legacy websites, as well as the challenges of patching and removing injected content, explains the duration over which phishing pages can remain active. This is consistent with the findings of our most recent State of the Internet / Security report.
Figure 4: Domains activity duration
This brief overview into an active IRS phishing campaign in the wild shows that, while threat actors are still launching campaigns with the goal of capturing sensitive information, the methods and techniques being used are getting more sophisticated by the day. Normally, tax-based phishing campaigns are observed during tax season in the United States, which runs from the end of Q4 until the end of January. However, by leveraging political stress points and uncertainty surrounding changing tax rules, campaigns such as this are now viable year-round.
Victim awareness is a key focal point for mitigating such scams. In many cases, scams such as these use domains that are not associated with IRS. Another key training point is the fact that the IRS will never initiate contact about finances or owed taxes via phone or email, which is how scams such as these start.