Interactive Brokers Phishing Scam: Fake IRS W-8BEN Renewal Alert
A recently discovered phishing campaign targets Interactive Brokers users by sending fake IRS Form W-8BEN renewal notices. The emails contain malicious links that direct victims to a spoofed login page designed to harvest their credentials and potentially compromise their financial investments.
Authors: Don Santos
Source:
Cofense
- domainwbnoebe[.]comPhishing landing page and credential harvesting C2 domain.
- emailbanking@pmcmiw.comSender email address used in the phishing campaign (identified in article images).
- emailbanking@pmcmlw.comSender email address used in the phishing campaign (identified in article text).
- urlhxxps://wbnoebe[.]com/loginSpoofed Interactive Brokers login page used for credential harvesting.
- urlhxxps://wbnoebe[.]com?tokenEndpoint where harvested user credentials are submitted by the phishing page.
Key Takeaways
- Threat actors are actively impersonating the Interactive Brokers trading platform to steal user credentials.
- The phishing lure utilizes a fake IRS Form W-8BEN renewal notice to create a sense of urgency and compliance requirement.
- Malicious emails originate from unofficial, spoofed domains such as pmcmlw.com and pmcmiw.com.
- Victims are directed to a credential harvesting page hosted at wbnoebe.com, which mimics the legitimate Interactive Brokers login portal.
Affected Systems
- Interactive Brokers user accounts
- Email clients
Attack Chain
The attack begins with a phishing email sent to the target, impersonating Interactive Brokers and claiming a mandatory IRS Form W-8BEN renewal is required. The email contains a malicious link disguised as a 'Renew Certification Now' button. When clicked, the victim is redirected to a spoofed Interactive Brokers login page hosted on an attacker-controlled domain. If the victim enters their credentials, the data is transmitted to the attacker's server, leading to potential account takeover and financial loss.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but outlines actionable IOCs (domains, URLs, sender addresses, and email subjects) that can be used to build custom detections in email gateways and SIEMs.
Detection Engineering Assessment
EDR Visibility: Low — This is primarily an email and web-based attack; EDR on the endpoint will only see a browser opening a URL, not the credential theft itself, unless specific web protection or anti-phishing modules are active. Network Visibility: Medium — Network logs (DNS, proxy) can detect traffic to the known malicious domain, but the HTTP traffic itself is encrypted, obscuring the credential transmission. Detection Difficulty: Easy — Detecting the specific IOCs provided is straightforward via email filtering and DNS blocklists, though catching new, unknown domains requires more advanced behavioral email analysis.
Required Log Sources
- Email Gateway Logs
- DNS Query Logs
- Web Proxy Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Users are receiving emails with subjects related to 'W-8BEN' or 'IRS Compliance' originating from non-standard or newly registered domains. | Email Gateway Logs | Initial Access | Low |
| Endpoints are resolving DNS queries for the known malicious domain wbnoebe.com. | DNS Query Logs | Credential Access | Low |
Control Gaps
- Inadequate email filtering for spoofed brand display names
- Lack of MFA enforcement on third-party financial accounts
Key Behavioral Indicators
- Email subject containing 'Official IRS Compliance Update — Mandatory Renewal of Form W-8BEN'
- Mismatch between the sender display name ('Interactive Brokers') and the actual sender domain (e.g., pmcmlw.com)
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block the domain wbnoebe.com on all corporate firewalls and web proxies.
- Search email gateways for messages from banking@pmcmlw.com or banking@pmcmiw.com and purge them from user inboxes.
- Identify any users who clicked the malicious link and mandate an immediate password reset for their Interactive Brokers accounts.
Infrastructure Hardening
- Implement strict DMARC, SPF, and DKIM checking on inbound emails to flag or quarantine messages with spoofed sender identities.
- Ensure Multi-Factor Authentication (MFA) is enabled for all financial, trading, and corporate accounts.
User Protection
- Deploy web protection and content filtering agents on endpoints to block access to known phishing URLs and newly registered domains.
Security Awareness
- Educate users on verifying sender email addresses, especially for messages requesting urgent financial, tax-related, or compliance actions.
- Train employees to navigate directly to trading platforms and financial institutions via trusted bookmarks rather than clicking links embedded in emails.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1598.003 - Phishing for Information: Spearphishing Link
- T1583.001 - Acquire Infrastructure: Domains
Additional IOCs
- Domains:
pmcmlw[.]com- Sender domain used in the phishing campaign.pmcmiw[.]com- Sender domain used in the phishing campaign (visual variant).
- Other:
Official IRS Compliance Update — Mandatory Renewal of Form W-8BEN- Subject line of the phishing email.