Archives
08.2006
09.2006
10.2006
11.2006
02.2007
04.2007
07.2007
03.2008


Powered by Blogger

22 March 2008
  Tax Phish
Internal Revenue Service
United States Department of the Treasury


After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $270,25 Please submit the tax refund request and allow us 2-6 business days in order to process it.

To access the form for your tax refund, please click here"

It's that time of year, and phishing emails are out using tax refund as a motivator for people to enter private banking information and get their identity stolen. This specific instance quoted above arrived in my inbox recently, from service@irs.gov [81.25.50.148] by way of mail.planetaryherbtreasures.com. I'm not exactly sure what mushrooms and roots have to do with my tax refund, nor do I really know why a computer in Amsterdam is helping out the IRS. (81.0.0.0/8 is allocated to RIPE.net).

Clicking on the link sent me to a site that forwarded to another server in Amsterdam:



Graciously, I filled out the form with some bogus data and proceeded. Of course, after claiming my refund, I have to tell the IRS where to send it:



It's staggering how much information they want. Pleasantly, there were links all over each page about the "IRS Privacy Policy"... none of which actually worked. Skipping fields was also not allowed:



Once all the information was filled in and submitted, the refund was confirmed.




The site that was hosting this phishing has been taken down, but I'm waiting for more to show up. They were using a redirection service (which is still operating), so as soon as a new copy of the site goes up, they can simply modify the redirect to get more victims. Hopefully the redirect will be taken down soon -- I am not optimistic, however, since the redirect is hosted in Venezuela.

Labels: , , , ,