Internal Revenue Service
United States Department of the Treasury
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $270,25 Please submit the tax refund request and allow us 2-6 business days in order to process it.
To access the form for your tax refund, please click here"
It's that time of year, and phishing emails are out using tax refund as a motivator for people to enter private banking information and get their identity stolen. This specific instance quoted above arrived in my inbox recently, from firstname.lastname@example.org [188.8.131.52]
by way of mail.planetaryherbtreasures.com
. I'm not exactly sure what mushrooms and roots have to do with my tax refund, nor do I really know why a computer in Amsterdam is helping out the IRS. (184.108.40.206/8 is allocated to RIPE.net).
Clicking on the link sent me to a site that forwarded to another server in Amsterdam:
Graciously, I filled out the form with some bogus data and proceeded. Of course, after claiming my refund, I have to tell the IRS where to send it:
Once all the information was filled in and submitted, the refund was confirmed.
The site that was hosting this phishing has been taken down, but I'm waiting for more to show up. They were using a redirection service (which is still operating), so as soon as a new copy of the site goes up, they can simply modify the redirect to get more victims. Hopefully the redirect will be taken down soon -- I am not optimistic, however, since the redirect is hosted in Venezuela.
Labels: amsterdam, irs, phish, tax, venezuela