Normally, the malware, or spyware injected into systems to steal personal information are Keyloggers. This malware (spyware) records key strokes on a system and transmits them back to the criminals, who normally are using it to commit identity theft.
Interestingly enough, a lot of this technology is legal and routinely sold over the internet.
Here are two updated warnings from Websense and the IRS, itself:
Websense Security Labs has discovered tax attacks targeting the U.S. in several countries outside of the U.S. hosted on compromised web servers. For example, one of the largest IRS phishing campaigns claims that the taxpayer is eligible for a refund and needs to log on to a website to verify their information. Users receive one of a variety of email messages with a link to a fraudulent website. Upon accessing the spoofed tax website, the user is then forwarded to a fraudulent site that requests credit card information and other personal identifiers. The intent of these attacks is to dupe users into revealing confidential information which can be used for withdrawing funds.
For the full press release by Websense:
Tax Attacks: Tech Thieves Target Online Tax Return Filers
Just a few days ago, the IRS itself updated their warning on this activity.
The following are examples of recent schemes reported on the IRS (updated) warning:
e-Mails claiming to come from email@example.com, firstname.lastname@example.org or other variations on the irs.gov theme told the recipients that they were eligible to receive a tax refund for a given amount. It directed recipients to claim the refund by using a link contained in the e-mail which sent the recipient to a Web site. The site, a clone of the IRS Web site, displayed an interactive page similar to a genuine IRS one; however, it had been modified to ask for personal and financial information that the genuine IRS interactive page does not require.
The Treasury Inspector General for Tax Administration (TIGTA) has reported that it found 12 separate Web sites in 18 different countries hosting variations on this scheme.
A bogus IRS letter and Form W-8BEN (Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding) asked non-residents to provide personal information such as account numbers, PINs, mother's maiden name and passport number. The legitimate IRS Form W-8BEN, which is used by financial institutions to establish appropriate tax withholding for foreign individuals, does not ask for any of this information.
To protect against potential identity thieves, take the following steps:
Be skeptical of communications you receive from sources you are not expecting. Verify the authenticity of phone calls, standard mail, faxes or e-mails of questionable origin before responding.
Do not reveal secret passwords, PINs or other security-based data to third parties; genuine organizations or institutions do not need your secret data for ordinary business transactions.
Do not click on links contained in possibly questionable e-mails; instead, go directly to the site already known to be genuine. For example, the only address for the IRS Web site is www.irs.gov, any other variations on this will not lead to the legitimate IRS Web site.
Do not open attachments to e-mails of possibly questionable origin, since they may contain viruses that will infect your computer.
Shred paper documents containing private financial information before discarding.
To report the fraudulent misuse of the IRS name, logo, forms or other IRS property, you may contact the TIGTA toll-free hotline at 1-800-366-4484 or visit the TIGTA Web site.
Those who think their identity has been stolen should visit the Federal Trade Commission's Web site for information about how to handle the aftermath of identity theft.
Here are some previous posts on tax fraud: