Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 10 March 2010

HM Revenue & Customs Refund Portal - Ten Phish in One

Posted on 10:42 by Unknown
This morning I was reading a report from Kenneth Paschal, a member of the UAB Phishing Operations research team, that contained an interesting group of new phishing sites. The campaign advertises an "HM Revenue & Customs" page using an email with this message body:

After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a tax refund of 988.50 GBP. Please submit the tax refund request and allow us 2-3 days in order to process it.

Click Here to submit your tax refund request

Note : A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline.

Best Regards

HM Revenue & Customs


The so-called "Tax Refund Portal" looks like this:



Each of the icons takes the visitor to a very professional looking phishing site to have the credentials for that bank stolen. The banks currently making up the pool including:

Barclays
Lloyds TSB
Halifax
Abbey
HSBC
Cahoot
Royal Bank of Scotland
Egg Bank
NatWest
Alliance & Leicester

In most cases the URL advertised in the phishing email actually is a forwarder to another location. For instance, the most recent phish from today forwarded to this site to show the actual content:

hxxp://daegups.com/bbs/data/bbs2/folder/folder/New Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/index.htm


We had previously seen seventeen such phishing sites, in July and August of 2009, but the front has been quiet until March 1st. A quick peek into the UAB PhishURLs database shows that we're seeing an escalated number of these sites being created.

2010-03-01 | http://www.tvlinko.com/refundportal.htm
2010-03-02 | http://www.tvlinko.com/hmrc/refundportal.htm
2010-03-03 | http://romeningh.dz/img/glyph/hmrc/refundportal.htm
2010-03-03 | http://www.michaelmucklow.com/wp-content/hmrc/refundportal.htm
2010-03-04 | http://www.urbanecology.org/szjtd/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/me/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/ms/hmrc/hmrc/refundportal.htm
2010-03-04 | http://www.ardeola.org/lib/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/all/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.bloomingdaledc.org/joomla/cache/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/file/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/image/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/pro/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.planet-promo.de/roxx/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://mojwlasnydom.com/gallery/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/lingerie/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/Jewellery/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.examsheets.net/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.cz.etechsol.pk/cp/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/fotos/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/downloads/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/libs/hmrc/hmrc/refundportal.htm
2010-03-08 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/templates/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/myimages/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_private/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/images/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_vti_bin/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/banners/hmrc/refundportal.htm
2010-03-10 | http://www.restoretherepublic.com/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/cgi-bin/hmrc/refundportal.htm

The UAB Spam Data Mine had samples in our March 6th spam at 12:30 AM, 1:30 AM, 4:30 AM and 5:45 AM spam collections for "planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm". After that site was terminated, the bad guys relaunched in our 12:15 PM spam collection with "www.examsheets.net/images/hmrc/hmrc/refundportal.htm". As you can see, many others have followed.



We'll continue to watch for emerging patterns like this one, and share with you what we find. For now, be wary of this "Tax Refund Portal"!
Email ThisBlogThis!Share to XShare to Facebook
Posted in phishing | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ▼  March (8)
      • Microsoft Releases "Out of Band" IE Update
      • Arrests on the Rise
      • Most Dangerous Cities for Cyber Crime?
      • PKK Hackers Arrested in Turkey
      • HM Revenue & Customs Refund Portal - Ten Phish in One
      • Energizer DUO: Trojan yourself for only $19.99
      • RSA Keynotes: Howard Schmidt
      • Spamming Botnets - Strategies welcome
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile