Spear Phishermen Target Corporate W-2 Data

Spear Phishermen Target Corporate W-2 Data

The Back Story

seagate money-treesproutslogo-erm






As if tax season is not already stressful enough, the season ending April 15, 2016 has just became more stressful for employees of 6 companies. It wouldn’t be surprising if more companies were revealed as victims, but at the time of this writing, there are only 6 known victim organizations.

The attack: accidental release of W-2 tax forms of employees to unauthorized parties.

The [known] victims: Seagate storage and hard drive manufacturer, Money Tree Lending Company, Sprouts Farmer’s Market, Environmental Resource Management (ERM), Care.com, and social media giant, Snapchat.

The how: via spear-phishing comptrollers, controllers, accountants, and Chief Financial Officers (CFOs).

The why: this is currently undetermined, but a safe assumption to steal identities, embarrass companies, file false tax returns, and/or a combination of any or all of the possibilities and beyond.
This prompted the IRS to release this notice:

The IRS has learned this scheme — part of the surge in phishing emails seen this year — already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”


February 28, 2016: SnapChat issues a blog post detailing their breach. The attacker spoofed the CEO and requested the information.

March 1, 2016: ERM issues a press release detailing their breach that occurred on February 29, 2016. The attacker spoofed a senior employee and requested the information.

March 1, 2016: Seagate issues a statement detailing their breach occurred. The attacker spoofed a senior employee and requested the information. This seems to be a trend.

March 4, 2016: MoneyTree issues a press release detailing their breach. The attacker spoofed the co-founder and requested the information.

March 10, 2016: Care.com issues a press release detailing their breach that occurred on March 3, 2016. I don’t believe in coincidences, this seems as if these all have the same attacker or the attackers are somehow connected. They could be using the same malware and hacking tools.

March 23, 2016: Sprouts announces that they are the most recent victim of this attack, using the same modis operandi as all the other breaches.

Our Analysis

Wow! What more can we say? This is theft on a massive scale but it is not using technical means. Aside from the obvious email and spoofing, there seems to be no coding or code injections, nor are there any signs of firewalking or fragmentation attacks, nor are there any known flaws in any software that enabled this to occur. This seems to firmly rest on the shoulders of the administrators of the victim security programs – specifically the security awareness program. While a security awareness program is not an absolute solution, let’s face it: nothing is, it is a low cost solution that directly covers the layer of users. Southern Fried Security podcast did an excellent episode about the programs. They brought in commentary from various experts (below in the Prevention section) and discussed the gap in implementation and execution as well as things that they’d seen that worked.

Frankly, 100% of this could have been prevented. There are too many measures that allow people to verfiy the source of an email asking for information of that sensitivity level. The organizations could implementation and train the employees in the use of encryption and/or digital signatures, the recipient could have contacted the “whale” and verified the information, and finally why would the recipients believe that non-finance personnel (CFO, Accountant, Comptroller, or Controller) have a valid NEED TO KNOW for the data they sent. This signals the necessity for enhanced social engineering training and testing.



Prevention is tied to our analysis. While training is no absolute solution, with various people calling it between 20 and 80% effective, it is an essential means of securing the “front line” and should absolutely be considered part of any and every defense in depth strategy. While it is not explicitly a detective or preventative control, it can certainly be a sound compensating control to complement something more technology based such as an email filter or antivirus software.


From a non-technical perspective, user awareness is paramount. Training the users to look for sketchy requests, sensitive data, and other nefarious objectives is the responsibility of the security team. This should be integrated into policy, into training, and into the organization culture from the CEO down to the intern. A user understanding what social engineering is and what to do when something “is off” is the easiest and cheapest first line of defense. See Training Advice below for more information regarding this.


There are few technical solutions to this type of issue. The first that come to mind are encryption, digital signatures, email filters, Bayesian filters, and [maybe] antivirus software. The encryption wouldn’t accomplish much if we are talking about data-in-transit unless the key was based off of Public Key Infrastructure (PKI) and the attacker could not compromise the spoofed party’s private key to decrypt the file. In terms of data-at-rest, this could have saved the data ONLY if the victim employee redirected the attacker to the files or sent the files encrypted and used out of channel communications to provide the key, at which time they would find out that the request was spoofed.

Digital signatures would have had to have been employed in advance. The recipient would have seen that the sender did not sign the email and would, in theory, question the integrity of the email. Email and Bayesian filters rely on others reporting the source IP and the text contents of the emails. Bayesian filters assess word usages and periodicity in determining what is legitimate and what is spam or phishing. Antivirus would have likely not picked this up, but if it were a corporate AV implementation, the Data Loss Prevention (DLP) module of the software may have picked it up.

Awareness Training Advice

  • Keep it short and sweet
  • Make it easy for the target audience to relate to it
  • Customize it for the organization
    • Use specific points of contacts and mention explicit organization policy
  • Train at least annually, ideally more often
  • Run tests, both announced and unannounced
  • Create a bounty program where people report phishing for points and/or prizes
    • Maybe recognition, a shirt, parking spot, etc.
  • Contact Us for Cybersecurity Awareness and Social Engineering/Phishing training and testing

Other APS Posts

Google Fixes Kernel Vulnerability
4 Things to Know About Ransomware
Ransomware Hits Mac Computers
IRS Targeted in Another Cyberattack
Linux Mint ISO Embedded with Backdoor

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.


IRS notice
CNN Money article about SnapChat
SnapChat blog post
Info Security Magazine article about ERM
ERM Press Release
Krebs on Security article about Seagate
Krebs on Security article about MoneyTree
Info Security Magazine article about Care.com
Care.com press release
Info Security Magazine article about Sprouts
Southern Fried Security podcast

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.