Online Security Alert: Beware, It's Tax Season

By Matthew Harwood

01/28/2010 -

Oklahomans about to file their state taxes should be cautious when they visit the the tax commission's Web site: it's riddled with malicious code and is dangerous, warns a prominent security researcher.

In a post today on his blog, Roger Thompson, chief research officer for AVG, says hackers infected the Oklahoma Tax Commission in an exploit that targets Adobe Reader. When an unprotected online user visits the site, an "Adobe License Agreement" pops up asking whether you want to accept or decline it. If you haven't patched your Adobe Reader, Thompson told Security Management, then you're infected.

"Whether you accept or decline, you get nailed," he said.

Thompson says the malicious code probably installs keyloggers that can steal sensitive information like Social Security numbers, payment card information, and other sensitive information.

The good news about this attack, Thompson noted, is that the hackers probably didn't specifically target the Oklahoma Tax Commission. The Web site was probably an unintended victim: "wrong place, wrong time," he said.

"The attacks are automated," Thompson said. "They write programs to hack into Web sites in bulk." Thompson traced the attack back to an IP address in the Netherlands, registered by a Russian e-mail address, using a Turkish Internet Service Provider.

Regardless, the Oklahoma Tax Commission's IT professionals have some work to do.

"The Oklahoma tax guys need to clean their system and figure out how they got in,” Thompson said.

The attack, he added, should raise people's awareness that tax season offers cyberthieves numerous opportunities to install malicious code on your computer to try to steal your identity and your money.

To limit your exposure to these types of attacks, Thompson said the best way is to keep your computer programs' patched and your antivirus up to date. An additional safeguard is to install behavioral analysis software that shuts down any activity it finds suspicious.

♦ Screenshot of Oklahoma Tax Commission from AVG Blogs/Roger Thompson

Login or register to post comments
Printer-friendly version

Comments

View Recent News (by day)

Law enforcement does not need a warrant to obtain the IP addresses for Twitter users, according to a recent decision. In investigating contributors to Wikileaks, the federal government asked Twitter to turn over the suspects’ account information. A U.S. district court ruled that the government does not need a warrant and that Twitter users have no expectations of privacy.

Security Management is the award-winning publication of ASIS International, the preeminent international
organization for security professionals, with more than 37,000 members worldwide.

ASIS International, Inc. Worldwide Headquarters, 1625 Prince Street, Alexandria, Virginia 22314-2818 U.S.A.
703-519-6200 | fax 703-519-6299 | www.asisonline.org

© 2012 Security Management
This site is protected by copyright and trade mark laws under U.S. and International law.
No part of this work may be reproduced without the written permission of Security Management.

Online Security Alert: Beware, It's Tax Season

Comments

View Recent News (by day)

Related Stories

Computer Security Handbook, Volumes 1 & 2, 5th Edition

Privacy