|
The U.S. tax season began when the Internal Revenue Service (IRS) started accepting and processing 2021 tax returns on 24 January 2022. The deadline is set for 18 April 2022, and taxpayers expect to receive email notifications regarding penalties, refunds, and other tax-related issues.
It would also be prudent to expect another type of communication linked to the tax season—phishing scams. Since domains and subdomains are common vehicles for malicious campaigns, WhoisXML API researchers looked into tax-related cyber resources added from 1 January 2022. Our analysis found the following:
Feel free to download the complete list of web properties and relevant data points from our website. We’ll discuss our analysis and research below.
Using Domains and Subdomains Discovery, we retrieved 1,643 unique domains and subdomains linked to the tax season. The table below shows the search strings used and some examples of the cyber resources discovered.
Search Strings | Domains | Subdomains |
---|---|---|
tax + refund | • refunding[.]tax • refundtax[.]co[.]kr • ktaxrefunds[.]org | • taxrefund[.]livejournal[.]com • refundtax[.]jirehsoriano[.]com • tax-refund[.]sing-post[.]su |
tax + return | • taxreturnprep[.]tax • return-tax[.]net • taxes-return[.]uk | • taxreturn[.]californiajob[.]us • taxreturn[.]sprintax[.]ca • tax[.]return[.]canadapayment[.]org |
tax + payment | • taxpayment[.]mx • taxpayment[.]app • payment-irs[.]tax | • taxpayment[.]asdx[.]io • paymentm[.]taxi[.]yandex[.]kz • paymentsustax[.]wmtemp[.]com |
tax + filing | • tax4filing[.]in • tax4filing[.]com • metaxfiling[.]com | • taxfiling[.]web[.]app • taxfilings[.]myobic[.]com • www[.]taxfiling[.]booth[.]pm |
tax + irs | • firstax[.]ca • irsgovs[.]tax • taxfirst[.]be | • irs-tax[.]serveirc[.]com • irs-tax[.]001www[.]com • firstaxe[.]tansukhrathod[.]com |
tax + 2022 | • taxcon2022[.]com • taxref2022[.]com • digitax2022[.]com | • taxes2022[.]academywestauto[.]com • taxilab2022[.]web[.]app • skiss2022taxi[.]babyshark[.]se |
irs + gov | • irsgov[.]tk • 4irsgov[.]me • irs-gov[.]ga | • irsgov[.]submitdetails[.]net • irsgov[.]additionalpayment[.]info • irs-gov[.]us-get-funds-assistance[.]com |
1099 + filing or 1099 + file | • 1099konlinefiling[.]com • form1099kelectronicfiling[.]com • efile1099no[.]com | • tbsefile1099api[.]tbsuat[.]com • tbsefile1099api[.]taxforall[.]com • tbsefile1099corrapi[.]tbsuat[.]com |
irs + refund | • refundsirs[.]com • refundirstax[.]com • whererefundirs[.]com | • refund-irs[.]x24hr[.]com • irs-refunds[.]publicvm[.]com • irstaxsrefunds[.]001www[.]com |
irs + payment | • firstpayment[.]me • payment-irs[.]tax • firstpayment[.]co | • irspayment[.]submitdetails[.]us • irspayments[.]oyostate[.]gov[.]ng • payment-irs[.]myvnc[.]com |
These tax-related text strings were used alongside other terms, such as “information,” “relief,” “api,” “mail,” and “payroll.” The word cloud below shows some of the most common terms used in the domains and subdomains besides the tax-related strings.
About 12% of the properties uncovered were flagged as malicious. Some examples include a bunch of domains beginning with “irs-,” as shown below.
Malicious Domains | Malicious Subdomains |
---|---|
• profile-tax-irs[.]com • irs-personaltax[.]com • profile-usairstax[.]com • irsprofile-usatax[.]com • irs-profileaids-tax[.]com • irs-gov-ein-confirm[.]com • irs-government-home[.]com • irs-government-apply[.]com • irs-goverments-information[.]com | • irs-govments-appmaintax[.]bhtermanagappmer[.]com • irs-gov[.]us-get-funds-assistance[.]com • irs[.]gov[.]taax-refund[.]info • irs[.]gov[.]g-information[.]info • irs[.]gov[.]infrmatiion[.]com • irs-gov[.]us-coronavirus-tax-relief-impact[.]com • irs-gov[.]us-economic-impact-payment-funds[.]com • irs[.]gov[.]ase-atp[.]net |
Quite a few of the malicious domains host legitimate-looking content, including these:
While some taxpayers may be fortunate to get a security error (such as the one below) when they try to visit the currently resolving malicious domains, others may not be as lucky.
The IP resolution of the 1,600+ cyber resources points to 594 unique IP addresses. That means some of them are shared by several tax-related properties, which could indicate a network or group of domains managed by the same person or entity.
We saw three significant groups with 83, 75, and 45 domain names each. One example is IP address 162[.]240[.]46[.]188 with 45 tax-related domains, 10 of which are malicious. Among the domains in this group are those that begin with the “irs-” string. These domain types can also be found in the other two groups.
Aside from the IP address, almost all the domains in the groups share the same registrar, nameserver, and privacy redaction method or service.
As the tax deadline draws near, malicious campaigns targeting taxpayers may escalate, and more of the domains found in this research may be mobilized. Detecting them earlier can help protect individuals, small businesses, and other entities prone to phishing.
If you’re interested in the domains and subdomains related to the IRS and tax season discussed in this post, you can download the research materials here. You may also contact us for research collaboration.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API