Tax Fraudsters Stealing Companies’ Databases of W-2s To File Your Taxes Before You Do

You’re great at security: you manage your long, secure passwords effectively, you shred all of your sensitive documents thoroughly, and you check your credit report and your online statements frequently. Good job! But all the micromanaging in the world can’t prevent you from being a victim of tax fraud if a hacker intercepts your W-2 and all of the information in it before it ever even gets to you.

That’s what your enterprising criminal mastermind is up to these days, reports security expert Brian Krebs. Krebs (who you may remember as the guy who broke the news of 2013′s Target data breach) says that scammers are gaining access not to individuals’ materials, but instead are going big: directly to the HR departments of the companies that employ dozens or hundreds of people.

The hackers gain entry to HR software at “compromised organizations” and dig around until they find themselves a database full of W-2 forms. Once scammers have access to that giant pile of forms, they immediately try to file federal returns on all of them. Then all they need to do is misdirect the money from a refund back to their own scammy pockets:

Successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Krebs found that one particular piece of third-party payroll software, Ultipro, seems to be the favored target. The problem doesn’t seem to be with the software itself, though. At least, not according to the company that makes it. A marketing executive for that company, Florida-based Ultimate Software, told Krebs that the security hole isn’t an issue of a code vulnerability that they can fix, but is instead “the result of stolen login information on the end-user level.”

Meaning: someone manages to steal an HR employee’s username and password, logs into the system masquerading as that employee, and then steals all the information they need for a profitable wave of identity theft.

From there, it takes the bad guys very little time to try to file all those fake returns, because they’ve engineered software to do it for them. The crimeware, as Krebs calls it, can take all the data and methodically fling it at an e-filing service — in this case, H&R Block’s. And the nefarious evildoers behind it have found a way to profit from it twice over: not only are they committing tax fraud, but they’re also licensing the software to others so that they can do the same.

Tax return fraud is nothing new; the concept has been around forever. The sheer scope and near-automation of the process afforded by the digital era are newer, though. The IRS issued an estimated $4 billion in fraudulent refunds in 2012 alone. So far, Krebs reports, this particular scam seems tied to over $1 million in fraud.

Today is the deadline for filing your 2013 federal taxes. Hopefully the procrastinators among us sliding their returns in just under the wire won’t encounter any problems. But if you do find out at 11:59 tonight that someone else pretending to be you got there first, take these steps to start getting the situation sorted out.

Crimeware Helps File Fraudulent Tax Returns [KrebsOnSecurity]