Over 100,000 people were targeted by a large-scale summer threat campaign using fake IRS websites.
The extensive phishing campaign was discovered by researchers at cloud security solutions provider Akamai.
Akamai's research team recorded threat actors using hundreds of different domains and URLs to impersonate the Internal Revenue Service of the United States over a two-month period beginning in mid-August 2019.
Users were all directed to the same fake IRS login page, where they were asked to enter sensitive information, including their email address and password.
In total, the campaign used at least 289 different domains and 832 URLs to target people all over the world. Most remained active for fewer than 20 days.
Most of the activity took place in the second half of August; however, researchers observed new websites being activated periodically over the course of a 47-day period.
Threat actors appear to have targeted legacy websites, perhaps in an effort to delay detection.
Or Katz, principal lead security researcher at Akamai, told Infosecurity Magazine: "According to our analysis, we suspect that many of the websites that hosted the IRS phishing page are compromised (meaning that they are legit websites that have been taken over or hijacked by criminals).
"In many cases these are legacy websites with minimal/no maintenance involved. This is what makes them vulnerable in the first place. Moreover, once compromised, it might also take more time to execute remediation of the vulnerability and cleaning of the website content."
Katz suspects that opting for an August launch date was a calculated decision by the threat actors.
He said: "According to past phishing research I was doing, August is a good time to get more engagement from victims. It might be related to being on vacations and having more time to read personal emails, browse, and use social networks. But scams like this can show up at any time of the year because it is a topic that gets attention and, in some cases, causes fear, leading the victim to take an action such as providing sensitive information, downloading a file, or clicking a malicious link."
Asked why he thought attackers had chosen to impersonate America's Internal Revenue Service, Katz replied: "I haven’t seen many IRS attacks in the past year, and it might be associated with that, as it wouldn't be in victims' attention to be aware of campaigns associated with IRS.
"The second reason is related to the IRS being trustworthy and an official brand; that can create more engagement from victims."