Swissquote: New Phishing Campaign Uses IRS Tax Form

General
1

Swissquote Phishing Campaign Leverages Fake IRS W-9 Tax Form

A sophisticated phishing operation targeting Swissquote customers has emerged, masquerading as official communications from the online broker. This campaign exploits the credibility of the U.S. Internal Revenue Service (IRS) by referencing the W-9 tax form, a legitimate document used to certify taxpayer identification numbers. Attackers craft emails that mimic Swissquote’s branding and urgency around tax compliance, tricking recipients into divulging login credentials on fraudulent websites.

The campaign surfaced in mid-May 2024 and continues to circulate widely. Phishing emails arrive with subject lines such as “Swissquote: Bitte füllen Sie das IRS-Steuerformular W-9 aus” (translated: “Swissquote: Please Complete the IRS Tax Form W-9”). The messages claim that Swissquote requires customers to submit or update their W-9 form to avoid disruptions in trading activities or account access, citing impending IRS deadlines. This tactic preys on users’ fears of regulatory non-compliance, particularly those with U.S. tax obligations.

Email Structure and Deceptive Elements

The emails replicate Swissquote’s corporate design meticulously. The sender address spoofs legitimate domains like “noreply@swissquote.com” or variations such as “support@swissquote-update[.]com”. Headers and footers include Swissquote’s logo, contact details, and disclaimers that appear authentic at first glance.

Key body text warns of account suspension if the form is not completed promptly: “Um Ihre Handelsaktivitäten fortzusetzen, bitten wir Sie, das IRS-Steuerformular W-9 so schnell wie möglich auszufüllen.” A prominent button labeled “IRS W-9 Formular ausfüllen” (Fill Out IRS W-9 Form) links to the attackers’ phishing page. Hovering over the link reveals URLs like “swissquote[.]com/login/irs-w9” or typosquatted domains such as “swlssquote-login[.]com”.

Recipients are directed to a replica of Swissquote’s login portal. The fake site employs HTTPS certificates from free providers like Let’s Encrypt, displaying a padlock icon to feign security. The page prompts for username, password, and occasionally two-factor authentication (2FA) codes, capturing credentials in real-time for credential-stuffing attacks elsewhere.

Phishing Infrastructure Breakdown

Security researchers at tarnkappe.info analyzed the infrastructure, identifying multiple command-and-control (C2) domains registered via privacy-protected services. Primary phishing domains include:

  • swissquote-irs-w9[.]com
  • sq-login-secure[.]net
  • my-swissquote-update[.]org

These resolve to IP addresses hosted on bulletproof providers in Eastern Europe, known for lax abuse policies. The phishing kits appear customized, featuring anti-detection scripts that evade automated scanners by randomizing HTML elements and using JavaScript obfuscation.

Post-login, victims may encounter a secondary page mimicking the W-9 form itself, requesting sensitive data like Social Security numbers or bank details. Submitted information is exfiltrated via POST requests to attacker-controlled endpoints. Some variants include malware download prompts disguised as PDF forms, potentially delivering infostealers like RedLine or Vidar.

Swissquote has confirmed the campaign via official channels, advising customers to ignore unsolicited emails requesting form submissions. The broker emphasizes that it never demands credentials via email and uses only verified domains for communications.

User Impact and Detection Tips

While exact victim counts remain undisclosed, the campaign’s scale suggests thousands of emails dispatched daily, leveraging purchased Swissquote customer lists from prior breaches. Compromised accounts risk unauthorized trades, fund withdrawals, or data theft for identity fraud.

To spot these phishing attempts:

  1. Verify Sender Domains: Legitimate Swissquote emails originate from @swissquote.com without alterations. Use tools like VirusTotal for domain checks.

  2. Inspect Links: Hover before clicking; legitimate URLs stay within swissquote.com subdomains.

  3. Check Urgency Tactics: IRS forms are not processed via broker portals; genuine requests direct to official IRS.gov channels.

  4. Enable 2FA Vigilance: Even if phishers capture OTPs, app-based authenticators outperform SMS.

  5. Report Suspicious Emails: Forward to abuse@swissquote.com and phishing@irs.gov.

Organizations like the Anti-Phishing Working Group (APWG) track similar IRS-themed lures, which spike during tax seasons. This Swissquote variant underscores the persistence of business email compromise (BEC) tactics, where financial firms are prime targets due to high-value accounts.

Mitigation Strategies for Financial Institutions

Swissquote’s incident highlights broader vulnerabilities in fintech phishing defenses. Brokers should prioritize:

  • DMARC Enforcement: Strict policies prevent spoofing.
  • Customer Education: Regular simulations and plain-language advisories.
  • AI-Driven Monitoring: Behavioral analytics to flag anomalous login attempts.
  • Zero-Trust Access: Continuous verification beyond credentials.

Users are urged to monitor accounts via Swissquote’s official app or portal, change passwords if exposure is suspected, and scan systems with reputable antivirus software.

This phishing wave exemplifies how attackers blend regulatory compliance fears with trusted brands. Staying vigilant remains the strongest defense in an era of evolving cyber threats.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.