Chuck Leaver – Compromised Endpoints Were The Likely Starting Point For IRS Hack

Written By Michael Steward And Presented By Chuck Leaver CEO Ziften

Internal Revenue Service Attackers Make Early Returns Because of Previous External Attacks

The IRS breach was the most unique cyber attack of 2015. Classic attacks today involve phishing e-mails intended to obtain initial access to target systems where lateral motion is then performed till data exfiltration happens. But the IRS hack was different – much of the data needed to perform it was previously acquired. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s what we understand:

The Internal Revenue Service site has a “Get Transcript” feature for users to retrieve previous tax return information. As long as the requester can provide the appropriate information, the system will return past and present W2’s and old income tax returns, etc. With anybody’s SSN, Date of Birth and filing status, the hackers might begin the retrieval procedure of previous filing year’s details. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based upon the requested users credit rating.

KBA isn’t fool proof, though. The questions it asks can often times be predicted based on other info already learned the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the list of automobiles have you owned?”

After the dust settled, it’s predicted that the hackers attempted to gather 660,000 transcripts of previous tax payer info by means of Get Transcript, where they achieved success in 334,000 of those efforts. The unsuccessful attempts appear to have gotten as far as the KBA questions where the hackers failed to offer the correct answers. It’s estimated that the attackers got away with over $50 million dollars. So, how did the attackers do it?

Security researchers theorize that the enemies used details from previous attacks such as SSNs, DOBs, addresses and submission statuses to try to obtain previous income tax return info on its target victims. If they succeeded and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, many times increasing the withholdings quantity on the income tax return form to get a bigger return. As pointed out previously not all attempts were successful, however over 50% of the attempts resulted in major losses for the Internal Revenue Service.

Detection and response systems like Ziften are targeted at identifying when there are jeopardized endpoints (like through phishing attacks). We do this by offering real time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the assailants used details gleaned from previous attacks beyond the IRS, the jeopardized companies might have benefited from the visibility Ziften provides and reduced against mass-data exfiltration. Ultimately, the IRS seems to be the vehicle – instead of initial victim – of these attacks.


No Responses Yet to “Chuck Leaver – Compromised Endpoints Were The Likely Starting Point For IRS Hack”

Leave a Reply