Mar 14, 2019

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter that doesn't understand what Britain's problem is. The European Union met all of our demands to get us to leave.

1 big thing: The vanishing tax scam

Illustration: Sara Grillo/Axios

With tax day rapidly approaching, it's beginning to look like this tax season will show a sharp decline in breaches swiping data used to file fake tax returns. Risk Based Security (RBS), a cybersecurity group that monitors breach notifications, has tracked only 5 reports of theft of tax data this season, down from around 40 in the whole of last year's tax season and 230 the year before.

Why it matters: While the number of tax-document-related breaches has been on the decline for a while, it's still surprising to see such a rapid drop, even after the number had plummeted into the double digits.

  • "It's always interesting to see something that was so successful drop off," said RBS executive vice president Inga Goddijn.

Details: The RBS numbers are interesting.

  • The number RBS tracks tallies how often companies told regulators that hackers stole employee information, like W2 payment forms, in apparent attempts to scam the IRS with fake tax returns to obtain tax refund checks. It is a good indicator of how often hackers are attempting these kinds of thefts.
  • Of course, not all thefts are reported or are even discovered by the companies. And since the number of people who work at a company varies, it's hard to draw conclusions about total victims from the number of companies breached.
  • Tax season isn't done yet, and RBS anticipates the final number of reported breaches will be more than 5.

By the numbers: RBS isn't the only group seeing a downward trend. The IRS hasn't released information for this season yet, but noted in 2018, through October:

  • Reports of identity theft had dropped 17% since 2017 and 72% since 2015. ("We’ve seen dramatic declines in identity theft since 2015," said IRS commissioner Chuck Rettig at a security summit in December.)
  • Financial institutions flagged 66% fewer checks from the IRS as likely to be the fruit of scams.

The intrigue: Typically, when one type of cybercrime goes down, another type goes up — if you prevent one way of exploiting people, hackers move on to another. But RBS hasn't found a corresponding rise in any other field.

Experts don't see a clearcut reason for the decline, but there are some spitball-able theories.

  • The IRS has gotten better at detecting fraud during the refund process, before checks are mailed, which may remove the incentive to steal W2 information in the first place.
  • Employers may have gotten more aware about protecting employee information.
  • The scam could have changed into something harder to detect or less clear to report.
  • Scammers behind major schemes may have been arrested for other crimes.

To be sure: None of this is an excuse to stop protecting yourself or your employees.

  • Michael Bruemmer, vice president of data breach resolution at Experian, noted, "Businesses should not let their guard down and continue to stay vigilant throughout the year for all kinds of threats such as phishing scams and malware attacks."
2. Hackers using Pakistani passport website to spy on users

Hackers modified a Pakistani government website where citizens can request passports to spy on visitors, according to researchers at Trustwave. The infection is still active.

The big picture: The code added to the website, known as Scanbox, performs reconnaissance on visitors and has been associated with espionage attacks in the past. Other actors use it too, and Trustwave is not attributing the attack to any government or criminal groups.

Details: Scanbox logs keystrokes, providing hackers with users' login information, and it also sends back information about the user's system.

  • "Since it’s a website that requires login, it gets those credentials," Ziv Mador, Trustwave vice president of threat research told Codebook.
3. The "Apple" of payment processing malware

Researchers at Cisco Talos discovered a new credit card system malware, GlitchPOS, being sold on hacker forums, that's notable for how easy it is to use, even for non-technical users.

Why it matters: GlitchPOS invites a whole new class of criminals to enter the point-of-sale terminal hacking game.

What they're saying: "If you can install a video game, you can now install a sophisticated POS malware empire," said Craig Williams, director of outreach at Talos. "If Apple was going to make POS malware, this is what it would look like."

You can't trust anyone: Talos notes that one of the early purchasers of GlitchPOS has begun selling it on his own, claiming to be the original author. And if you can't trust credit card thieves, who can you trust?

Meanwhile: While some people like Volvos, other people like Ferraris. Researchers at Flashpoint discovered POS malware in use since 2016 with a unique, powerful feature not usually seen in its ilk.

  • "DMSniff" uses what's known as a domain generating algorithm — a process to create new command and control infrastructure on the fly.
  • Most malware operates through fixed or mostly fixed servers — take down the server used to link the hacker to the malware and the whole scheme is shot.
  • Domain generating algorithms dynamically create new command and control servers. Take one communications pathway down and the malware will keep finding new ones.
4. Yesterday's Facebook outage wasn't a DDoS attack

Photo: Jaap Arriens/NurPhoto via Getty Images

Not everything is a cyberattack. Facebook fended off rumors that an outage of its products, including Facebook and Instagram, was the result of a DDoS attack.


  • Telegram reports gaining 3 million users during the brief outages of WhatsApp and Facebook Messenger.
  • NetScout issued a press release claiming the outage was a BGP leak, but after experts (including, apparently, the NetScout employee quoted in the press release) said that wasn't the case, NetScout walked back the certainty of its claims: “Absent more forensic evidence, we can’t speculate about the cause of that specific outage,” said the company via email. (Twitter)
5. Senators want more info on Capitol breach attempts

Senators Ron Wyden (D-Ore.) and Tom Cotton (R-Ark.) asked the Senate security staff to start issuing reports about breaches on the Senate network.

The big picture: "According to media reports, Russian and Chinese hackers have in recent years breached the White House, Pentagon, State Department, and other agencies in the executive branch. Yet, the last publicly disclosed breach of congressional computers was in 2009," the senators wrote in a letter dated Wednesday.

6. Odds and ends

Codebook will be back next week.