Home / Industry

Be Wary of Bogus Web Properties This Tax Season

The U.S. tax season began when the Internal Revenue Service (IRS) started accepting and processing 2021 tax returns on 24 January 2022. The deadline is set for 18 April 2022, and taxpayers expect to receive email notifications regarding penalties, refunds, and other tax-related issues.

It would also be prudent to expect another type of communication linked to the tax season—phishing scams. Since domains and subdomains are common vehicles for malicious campaigns, WhoisXML API researchers looked into tax-related cyber resources added from 1 January 2022. Our analysis found the following:

  • 1,600+ domains and subdomains containing combinations of text strings connected to the tax season, such as “tax,” “refund,” “return,” “irs,” “1099,” “payment,” “filing,” and “gov”
  • 1,600+ IP resolutions to 590+ unique IP addresses, leading to three groups of tax-related domains
  • 12% of the tax-related resources have been reported as malicious by various malware engines

Feel free to download the complete list of web properties and relevant data points from our website. We’ll discuss our analysis and research below.

1,600+ Tax-Related Domains and Subdomains

Using Domains and Subdomains Discovery, we retrieved 1,643 unique domains and subdomains linked to the tax season. The table below shows the search strings used and some examples of the cyber resources discovered.

Search StringsDomainsSubdomains
tax + refund• refunding[.]tax
• refundtax[.]co[.]kr
• ktaxrefunds[.]org
• taxrefund[.]livejournal[.]com
• refundtax[.]jirehsoriano[.]com
• tax-refund[.]sing-post[.]su
tax + return• taxreturnprep[.]tax
• return-tax[.]net
• taxes-return[.]uk
• taxreturn[.]californiajob[.]us
• taxreturn[.]sprintax[.]ca
• tax[.]return[.]canadapayment[.]org
tax + payment• taxpayment[.]mx
• taxpayment[.]app
• payment-irs[.]tax
• taxpayment[.]asdx[.]io
• paymentm[.]taxi[.]yandex[.]kz
• paymentsustax[.]wmtemp[.]com
tax + filing• tax4filing[.]in
• tax4filing[.]com
• metaxfiling[.]com
• taxfiling[.]web[.]app
• taxfilings[.]myobic[.]com
• www[.]taxfiling[.]booth[.]pm
tax + irs• firstax[.]ca
• irsgovs[.]tax
• taxfirst[.]be
• irs-tax[.]serveirc[.]com
• irs-tax[.]001www[.]com
• firstaxe[.]tansukhrathod[.]com
tax + 2022• taxcon2022[.]com
• taxref2022[.]com
• digitax2022[.]com
• taxes2022[.]academywestauto[.]com
• taxilab2022[.]web[.]app
• skiss2022taxi[.]babyshark[.]se
irs + gov• irsgov[.]tk
• 4irsgov[.]me
• irs-gov[.]ga
• irsgov[.]submitdetails[.]net
• irsgov[.]additionalpayment[.]info
• irs-gov[.]us-get-funds-assistance[.]com
1099 + filing or
1099 + file
• 1099konlinefiling[.]com
• form1099kelectronicfiling[.]com
• efile1099no[.]com
• tbsefile1099api[.]tbsuat[.]com
• tbsefile1099api[.]taxforall[.]com
• tbsefile1099corrapi[.]tbsuat[.]com
irs + refund• refundsirs[.]com
• refundirstax[.]com
• whererefundirs[.]com
• refund-irs[.]x24hr[.]com
• irs-refunds[.]publicvm[.]com
• irstaxsrefunds[.]001www[.]com
irs + payment• firstpayment[.]me
• payment-irs[.]tax
• firstpayment[.]co
• irspayment[.]submitdetails[.]us
• irspayments[.]oyostate[.]gov[.]ng
• payment-irs[.]myvnc[.]com

These tax-related text strings were used alongside other terms, such as “information,” “relief,” “api,” “mail,” and “payroll.” The word cloud below shows some of the most common terms used in the domains and subdomains besides the tax-related strings.

Malicious Domains Detected

About 12% of the properties uncovered were flagged as malicious. Some examples include a bunch of domains beginning with “irs-,” as shown below.

Malicious DomainsMalicious Subdomains
• profile-tax-irs[.]com
• irs-personaltax[.]com
• profile-usairstax[.]com
• irsprofile-usatax[.]com
• irs-profileaids-tax[.]com
• irs-gov-ein-confirm[.]com
• irs-government-home[.]com
• irs-government-apply[.]com
• irs-goverments-information[.]com
• irs-govments-appmaintax[.]bhtermanagappmer[.]com
• irs-gov[.]us-get-funds-assistance[.]com
• irs[.]gov[.]taax-refund[.]info
• irs[.]gov[.]g-information[.]info
• irs[.]gov[.]infrmatiion[.]com
• irs-gov[.]us-coronavirus-tax-relief-impact[.]com
• irs-gov[.]us-economic-impact-payment-funds[.]com
• irs[.]gov[.]ase-atp[.]net

Quite a few of the malicious domains host legitimate-looking content, including these:

While some taxpayers may be fortunate to get a security error (such as the one below) when they try to visit the currently resolving malicious domains, others may not be as lucky.

Groups of Tax-Related Domains

The IP resolution of the 1,600+ cyber resources points to 594 unique IP addresses. That means some of them are shared by several tax-related properties, which could indicate a network or group of domains managed by the same person or entity.

We saw three significant groups with 83, 75, and 45 domain names each. One example is IP address 162[.]240[.]46[.]188 with 45 tax-related domains, 10 of which are malicious. Among the domains in this group are those that begin with the “irs-” string. These domain types can also be found in the other two groups.

Aside from the IP address, almost all the domains in the groups share the same registrar, nameserver, and privacy redaction method or service.

As the tax deadline draws near, malicious campaigns targeting taxpayers may escalate, and more of the domains found in this research may be mobilized. Detecting them earlier can help protect individuals, small businesses, and other entities prone to phishing.

If you’re interested in the domains and subdomains related to the IRS and tax season discussed in this post, you can download the research materials here. You may also contact us for research collaboration.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC