The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Watch out for online scams and vulnerabilities this tax season

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! For those of you who follow my illustrious fantasy basketball career, I finished with one championship in a 10-team league, and finished second in two 12-team leagues. I remain well in the 99th percentile among Yahoo fantasy players. There’s no good ending to this greeting other than to make fun of myself for bragging about something so inconsequential.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: A major cybercrime market has been seized, and Twitter’s open-sourced recommender algorithm leads to concerns about manipulation. First:

Taxpayers and tax agencies must keep their heads on a swivel for cyberthreats

Every tax season brings an array of online scams and cyberthreats to taxpayers and tax agencies alike. But each tax season also brings its own customized sprinkling of vulnerabilities and risks, and 2023 is proving no different.

Anytime money is changing hands, cybercriminals are likely to flock there for the chance to steal it. Taxes paid and refunded make for an attractive temptation. In the most recent fiscal year, individual and corporate income taxes totaled more than $1 trillion. Refunds paid in the 2022 calendar year totaled $360 billion.

When it comes to scams during tax season, “the same-old, same-old is still working,” Lisa Plaggemier, executive director of the National Cybersecurity Alliance, told me. At the same time, though, email phishing lures and other techniques evolve. 

“Pick something out of the headlines, and they're going to use whatever is topical, just like marketers do to try and get our attention,” she said.

It all adds up to giving the average citizen a lot to be careful about during tax season.


The Internal Revenue Service annually calls out the biggest threats it’s seeing for taxpayers. Many of them have a cyber or online element.

“Email and text scams are relentless, and scammers frequently use tax season as a way of tricking people,” said IRS Commissioner Danny Werfel. “With people anxious to receive the latest information about a refund or other tax issue, scammers will regularly pose as the IRS, a state tax agency or others in the tax industry in emails and texts. People should be incredibly wary about unexpected messages like this that can be a trap, especially during filing season.” Werfel also warned people to avoid following tax advice on social media.

Private sector companies also round up the top threats each year. Sometimes they choose to focus on overarching trends, and sometimes they highlight specific tactics.

Securonix last week highlighted one specific group of Russian-language speaking hackers, which the cyber company dubbed TACTICAL#OCTOPUS and that uses very customized lures that hide their ruse from detection well.

  • “They’re customizing documents to the victims,” Oleg Kolesnikov, vice president of threat research for the company, told me. “They’re very adaptive. … There’s a level of sophistication that they go with as part of the attack that is very unusual, and we’re not sure why. For a typical tax-based scam, you would see trivial” malware, he said.
  • “These guys are spending a lot of effort trying to obfuscate stuff, trying to evade detection,” he said. “It is possible they were going after some high-profile targets.”

Typically, people who tend to be outside the workforce are among the most vulnerable targets for tax-based cyber scams, Plaggemier said. That’s because people with steady employment at companies are more likely to get training there on how to avoid cyberthreats, she said.

There are signs of progress against certain kinds of scams, though, she said. After arrests at a call center in India in 2016, she noticed a big drop-off in the number of tax scam calls.


Some things are outside the control of taxpayers.

A Treasury Department inspector general report published last week found weaknesses in the security of an IRS case management system. Those weaknesses “can pose a substantial risk to taxpayer records currently residing in the system,” the report states. “The potential harm includes breach, unauthorized access and disclosure of taxpayer information.”

The IRS accepted the inspector general’s recommendations for shoring up those flaws.

The IRS also has used to verify user identities, and the agency scrapped its plans to require millions of Americans to use the company’s facial recognition technology when it came under scrutiny. A government-developed alternative for verifying identities has faced its own criticisms.

What’s more, researchers found malware in an IRS-approved electronic filing service provider, Ax Sharma of Bleeping Computer reported Tuesday.

That wasn’t the only news about tax defenses on Tuesday, either. The IRS has been looking to purchase an internet-monitoring tool that has raised concerns from cybersecurity professionals, Joseph Cox reported for Motherboard. Evidence suggests “the intended use case may be defensive in nature” for the IRS, Cox wrote. The IRS didn’t answer questions from Motherboard.

The keys

Major cybercrime market seized by FBI

Notorious cyber fraud marketplace Genesis Market was taken down by an operation conducted by the FBI, Sean Lyngaas reports for CNN, citing a notice on the site.

“The bureau seized the web domains of Genesis Market, an invitation-only crime forum that sells login information stolen from hundreds of thousands of computers, pursuant to a court order from the U.S. District Court for the Eastern District of Wisconsin,” the report says.

Genesis served as a global platform for the exchange of stolen data, including credentials for log-ins and various website vulnerabilities.  The Genesis marketplace let individuals purchase digital “fingerprints” allowing them to impersonate victims’ web browsers, allowing them to continually access users’ accounts without setting off warnings, according to the report.

The site’s seizure follows an earlier FBI-led takedown of cybercrime forum BreachForums last month.

New ransomware the fastest encryptor researchers have seen yet

A new strain of ransomware threat known as Rorschach has been deemed the fastest-encrypting ransomware in circulation, Bill Toulas reports for BleepingComputer.

The story cites a speed analysis from Check Point in which Rorschach’s encryption of 220,000 files took 4.5 minutes to complete, compared with LockBit v3.0, another common ransomware strain, which took 7 minutes.

The ransomware will notably only encrypt a victim’s machine if it is configured with a language outside the Commonwealth of Independent States (CIS), a zone of several former Soviet republics.

Open sourcing the Twitter recommendation algorithm unlocks door for manipulation

A researcher has warned that Elon Musk’s decision to open-source Twitter’s content recommender algorithm can be leveraged to silence certain accounts, AJ Vicens reports for CyberScoop.

Vicens writes that Mitre assigned a common vulnerabilities and exposure (CVE) designation to part of the recently open sourced code after an Argentina-based developer flagged potential flaws on GitHub, a popular coding repository site.

  • The CVE says that the microblogging platform’s current recommender engine “allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023.”

A Twitter blog post argued that the open-sourcing of the recommender algorithm code is a next step for transparency between Twitter stakeholders, the story notes. The company didn’t respond to CyberScoop’s request for comment.

Government scan

DHS adds artificial intelligence subcommittee to Homeland Security Advisory Council (Inside Cybersecurity)

Watchdog dings Energy Dept over cloud security (Federal Computer Week)

Global cyberspace

Spain's most dangerous and elusive hacker now in police custody (Bleeping Computer)

E.U. Prosecutor probes Greek ‘Predatorgate’ (Euractiv)

Britain uses cyber capabilities to counter enemies online - GCHQ (Reuters)

Arid Viper hacking group using upgraded malware in Middle East cyber attacks (The Hacker News)

Cyber insecurity

Hackers can remotely open smart garage doors across the world (Motherboard)

Encryption wars

We all should worry about the Dish and Sling TV cyberattack (Shira Ovide)

Privacy patch

TikTok fined $16 million in UK for misusing kids' data as scrutiny of Chinese-owned app intensifies (CNBC)

How publications can support writers and sources experiencing digital harassment (The Open Notebook)

Secure log off

Thanks for reading. See you tomorrow.