I came across a fascinating cybercrime article called, “When Identity Thieves Hack Your Accountant,” from Krebs on Security. Although it isn’t the most technical hack in the world, it is very sophisticated nonetheless. The link is below:


This article describes an attack that targets CPA firms. The motivation is greed—the attacker is a thief. The goal of the attack is to steal financial data from the firm’s clients and then submit fraudulent tax returns on their behalf. Once the victim receives their tax refund, the attacker contacts the victim claiming to be a collection agency representing the IRS and demands the money back. The attacker is armed with the victim’s personal financial data and can thus provide a convincing argument. If the victim contacts the CPA firm, the firm can legitimately claim that they did not submit a tax return, thereby supporting the attacker’s story. To resolve the situation, the victim sends the tax return money to the attacker’s account.

The attack proceeds as follows. First, the attacker purchases keylogger software from a cybercriminal. Note that the attacker does not need sophisticated technical skills. In the example provided, the software cost $50 from a hacker nicknamed ja_far. The malware, once installed, automatically uploads the stolen information to a website that the attacker can anonymously view.

Next, the attacker finds a way to install the malware on the computers at the CPA firm. Some possible methods include:

  • Entice an employee of the firm to connect an infected USB drive to their computer. Some methods:
    • Disguise the drive as marketing “swag” from a real or fictitious company and give it as a “gift” to the firm. Include additional swag, such as pens and post-it notes, to complete the illusion.
    • Drop the USB drive on the floor of a stall in the bathroom. Include a file called “payroll.xls” or similar on the drive.
    • Install the malware on a novelty USB drive, such as that of a cartoon character, and return the drive to its original packaging. Then either give it to the victim as a “gift” or make it appear as if someone accidentally lost it. The USB drive appears “safe” because it appears to be new.
  • Entice the victim to open an infected document file or click on a link that installs the malware. Some methods:
    • Create a phony identity, including a LinkedIn account, and apply for a job with the CPA firm. Send a resume and cover letter with malware attached.
    • Create a phony online identity and pose as a potential client. Send financial documents with malware attached.
    • Pretend to be a local business or restaurant with an enticing special offer. Send a coupon with infected malware.

Once the malware is installed, the attacker waits patiently for it to collect data. This process may take days, weeks, or even months. Because the software records simple keystrokes, it bypasses all forms of encryption on the firm’s network. The malware periodically uploads the stolen data to a website established by the hacker who created the keylogger software. The attacker copies and analyzes the data, looking for important nuggets of information. When enough information is collected, the attacker can proceed with the remainder of the plan. The attacker may also use (or sell!) the stolen financial information for other nefarious purposes.

In terms of psychological profile, the attacker likely has the following characteristics:

  • Has enough financial knowledge to file tax returns.
  • Understands the culture of a CPA firm and can create tricks to entice its employees into installing malware.
  • Able to create false identities for the purposes of tricking both the employees of the CPA firm and the victims of the tax refund scam.
  • Able to organize the data collected, recognize the useful portions, and isolate the individual victims.
  • Understands the collections industry and can convince the victim that they need to “return” the tax refund.
  • Has enough online savvy to research malware and purchase it from a cybercriminal. Does not need sophisticated technical skills otherwise.

While this attack does not require sophisticated technical skills, it does require insight into the financial services industry, a fair amount of online savvy, and strong organization skills. I suspect that the attacker is college educated with some financial services experience.