Executive Summary
Between June 2016 and June 2021, Matthew A. Akande, a Nigerian national residing in Mexico, orchestrated a cyber intrusion targeting Massachusetts tax preparation firms. Utilizing phishing emails embedded with Warzone RAT malware, Akande and his co-conspirators gained unauthorized access to sensitive client data, including personally identifiable information (PII) and prior tax records. This stolen information was then used to file over 1,000 fraudulent tax returns, seeking more than $8.1 million in refunds. The illicit proceeds, totaling over $1.3 million, were funneled through U.S. bank accounts and partially transferred to associates in Mexico. (justice.gov)
This case underscores the persistent threat posed by sophisticated phishing attacks and the exploitation of remote access tools in financial fraud schemes. The incident highlights the critical need for robust cybersecurity measures within tax preparation firms to safeguard client data against such intrusions.
Why This Matters Now
The sentencing of Matthew Akande serves as a stark reminder of the vulnerabilities within financial institutions to phishing and malware attacks. As tax season approaches, firms must prioritize enhancing their cybersecurity protocols to prevent similar breaches and protect sensitive client information.
Attack Path Analysis
The attackers initiated the campaign by sending phishing emails containing malicious attachments to employees of tax preparation firms, leading to the installation of Warzone RAT. Upon execution, the malware established persistence and escalated privileges to maintain control over the compromised systems. The attackers then moved laterally within the network to access sensitive client data. Warzone RAT facilitated command and control communications, allowing the attackers to manage the compromised systems remotely. The stolen data was exfiltrated to attacker-controlled servers. Finally, the attackers used the exfiltrated data to file fraudulent tax returns, resulting in financial losses.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing emails with malicious attachments to employees of tax preparation firms, leading to the installation of Warzone RAT.
Related CVEs
CVE-2017-11882
CVSS 7.8A memory corruption vulnerability in Microsoft Office allows remote code execution via a specially crafted file.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wildCVE-2018-0802
CVSS 7.8A memory corruption vulnerability in Microsoft Office allows remote code execution via a specially crafted file.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Link
Malicious Link
Command and Scripting Interpreter
Valid Accounts
Application Layer Protocol
Email Collection
Archive Collected Data
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity Management and Access Control
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Accounting
Tax preparation firms directly targeted through phishing campaigns deploying Warzone RAT malware, compromising client data for fraudulent tax refund schemes totaling $8.1 million.
Financial Services
Banking networks exploited for fraudulent tax refund deposits and cash withdrawals, requiring enhanced egress security controls and anomaly detection for unauthorized financial transactions.
Government Administration
IRS systems targeted for $1.3 million in fraudulent refunds through compromised taxpayer data, highlighting need for zero trust segmentation and encrypted traffic protection.
Law Enforcement
International cybercrime investigation spanning Nigeria, Mexico, UK, and US demonstrates critical need for cross-border threat detection capabilities and incident response coordination frameworks.
Sources
- Nigerian man sentenced to 8 years in prison for running phony tax refund schemehttps://cyberscoop.com/nigerian-matthew-akande-tax-refund-fraud/Verified
- Nigerian Man Sentenced to Eight Years in Prison for Computer Intrusion and Thefthttps://www.justice.gov/usao-ma/pr/nigerian-man-sentenced-eight-years-prison-computer-intrusion-and-theftVerified
- WarZone (Trojan) – Malware - CyberMaterialhttps://cybermaterial.com/warzone-trojan-malware/Verified
- BlackBerry Prevents: Warzone RAThttps://blogs.blackberry.com/en/2021/12/blackberry-prevents-warzone-ratVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily focuses on network-level controls, it could have complemented endpoint security measures by providing visibility into anomalous network behaviors associated with initial compromise.
Control: Zero Trust Segmentation
Mitigation: By enforcing strict segmentation, Aviatrix CNSF would likely have constrained the malware's ability to interact with other systems, limiting its operational scope.
Control: East-West Traffic Security
Mitigation: Aviatrix CNSF would likely have limited lateral movement by enforcing east-west traffic controls, reducing the attacker's ability to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: With enhanced visibility, Aviatrix CNSF would likely have detected and constrained unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix CNSF would likely have restricted unauthorized data exfiltration by enforcing egress policies, limiting outbound data transfers.
By limiting data exfiltration, Aviatrix CNSF would likely have reduced the volume of sensitive data available to attackers, thereby mitigating potential financial losses.
Impact at a Glance
Affected Business Functions
- Tax Preparation Services
- Client Data Management
Estimated downtime: 30 days
Estimated loss: $1,393,230
Personally Identifiable Information (PII) of tax preparation clients, including Social Security numbers and prior year tax information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network, limiting attackers' ability to access sensitive data.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting unauthorized access attempts.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration by monitoring outbound traffic.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Adopt Multicloud Visibility & Control solutions to gain comprehensive insights into network activities across cloud environments.
