Chuck Leaver – Compromised Endpoints Were Probably The IRS Hack Starting Point

Written By Michael Steward And Presented By Chuck Leaver CEO Ziften


Internal Revenue Service Attackers Make Early Returns Because of Previous External Attacks


The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing e-mails intended to obtain preliminary access to target systems where lateral movement is then performed up until data exfiltration takes place. But the Internal Revenue Service hack was different – much of the data needed to perform it was already acquired. In this case, all the attackers needed to do was walk in the front door and submit the returns. How could this take place? Here’s what we understand:

The Internal Revenue Service website has a “Get Transcript” function for users to retrieve previous income tax return info. As long as the requester can supply the proper info, the system will return previous and current W2’s and old tax returns, etc. With anyone’s SSN, Date of Birth and filing status, the attackers could start the retrieval process of previous filing year’s information. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based upon the requested users credit rating.

KBA isn’t fool proof, though. The questions it asks can often times be predicted based on other information already known about the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the following cars have you owned?”

After the dust settled, it’s estimated that the hackers tried to collect 660,000 transcripts of previous tax payer information via Get Transcript, where they achieved success in 334,000 of those efforts. The unsuccessful attempts appear to have gotten as far as the KBA questions where the hackers cannot supply the correct answers. It’s approximated that the attackers got away with over $50 million dollars. So, how did the attackers do it?

Security researchers theorize that the cyber attackers used information from previous attacks such as SSNs, DOBs, addresses and submission statuses to attempt to get prior income tax return details on its target victims. If they achieved success and addressed the KBA questions correctly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to obtain a larger return. As mentioned formerly not all efforts achieved success, however over 50% of the efforts resulted in significant losses for the IRS.

Detection and response solutions like Ziften are aimed at determining when there are compromised endpoints (for example through phishing attacks). We do this by supplying real time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the attackers used details obtained from previous attacks beyond the Internal Revenue Service, the jeopardized companies might have taken advantage of the visibility Ziften supplies and reduced against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of initial victim – of these attacks.