Washington D.C. -- Like the Bank of America brand name, the United States Internal Revenue Service is a brand that also needs online protection. On Wednesday, Special Agent Andy Fried with the U.S. Treasury Department gave a second keynote address to start off Black Hat DC 2008. He said as of February 19 this year, there were 1,630 phishing sites using the IRS name or logo, marking a 12 percent to 17 percent increase over last year.
Although the IRS phishing sites may be taken down with an hour or so, that's still long enough for a victim to volunteer personal information online. Fried stated that the IRS does not contact people via e-mail. He also noted that many of the phishing sites and e-mails came "out of Eastern Europe."
E-mails pretending to be from the IRS may link to phishing sites, but they can also launch malware, said Fried. He cited one example where late at night he saw a new IRS-themed e-mail containing malicious code and also found that none of the major antivirus sites had signatures in place to block the sample. He said the antivirus vendors frequently missed malware associated with IRS e-mail spam.
While he was concerned about ordinary people getting hit, he called upon the antivirus community to immunize their applications before the IRS staff reported for work in the morning. His concern was the IRS itself, which, in the morning would start to get forwarded examples of the e-mail and could potentially infect the IRS with malware.
In January 2008, Fried said that the IRS reached a full one percent of all spam traded on the Internet--a record for the agency.
Fried also warned against using peer-to-peer applications on the same desktop with your tax information on it. He and his investigators will periodically fire up LimeWire and find hundreds of copies of people's tax returns available for downloading. "If you don't know what you are doing with P2P," said Fried, "don't use it."
Fried said he expected more IRS-themed Internet activity in May when the U.S. government plans to issue tax rebates to qualified individuals, but declined to specify what he expected.