Charles Leaver – It Is Believed That The IRS Hack Began With Compromised Endpoints

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Due to Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing emails intended to obtain preliminary access to target systems where lateral motion is then carried out till data exfiltration takes place. But the IRS hack was various – much of the data required to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s exactly what we understand:

The Internal Revenue Service site has a “Get Transcript” function for users to recover previous income tax return details. As long as the requester can offer the proper details, the system will return past and current W2’s and old tax returns, etc. With anybody’s SSN, Date of Birth and filing status, the attackers could begin the retrieval procedure of past filing year’s info. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t really fool proof, however. The questions it asks can oftentimes be predicted based on other info already learned the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer details via Get Transcript, where they were successful in 334,000 of those efforts. The unsuccessful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot provide the correct responses. It’s approximated that the attackers got away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the enemies utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to obtain prior tax return details on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to obtain a bigger return. As discussed formerly not all attempts were successful, but over 50% of the attempts led to significant losses for the Internal Revenue Service.

Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (such as through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are right and the attackers utilized details gleaned from previous attacks beyond the Internal Revenue Service, the compromised businesses might have benefited from the visibility Ziften supplies and reduced against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of preliminary victim – of these cyber attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *