Threat Actors Impersonate IRS and ID.me in Sophisticated Phishing Attempt
In this sophisticated phishing attack, threat actors impersonate the IRS and email the target regarding their IRS online account. Using an email address hosted on at-work[.]tv, a legitimate but dormant domain, with a generic sender name of “Notifications”, the attacker claims the target must verify their identity through ID[.]me to ensure the security of their IRS online account and maintain access to IRS services. ID[.]me is an American online identity network company that allows people to provide proof of their legal identity online and is used by the IRS. Should the target click on the button labeled “Verify Now”, they are redirected to a page that appears to be a login portal for ID[.]me. However, the destination is actually a phishing site that convincingly mimics the impersonated page and is designed to steal any information the target enters, including their ID[.] me login credentials, date of birth, and Social Security Number, as well as their Centralized Authorization File (CAF) number and preparer tax identification number (PTIN). If the target provides any of this information, it will be stolen by the attacker and likely used to commit identity theft.
Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a spoofed domain, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions recognize the sender is unknown to the recipient, detect suspicious links in the message, and conduct advanced content analysis to correctly flag this email as an attack.
Malicious message impersonating the IRS using a spoofed email
Phishing page mimicking legitimate login portal for ID[.]me
Phishing page designed to steal sensitive information
Attackers include captchas to induce false feelings of safety through legitimate protocols in their attempt
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate email address, "newsletter@at-work[.]tv", bypassing basic email verification checks and adding perceived authenticity.
- Social Engineering Tactic: The claim that immediate verification is needed for tax season creates a sense of urgency that prompts recipients to act without careful scrutiny.
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Link Analysis: The presence of a link that leads to a suspicious domain "https://kgfutviguyj.prepared.workers[.]dev" is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
- Content Analysis: The email's urgent message about a required identity verification to maintain IRS services is flagged by advanced content analysis algorithms as a common phishing tactic.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.