Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Lots of Undetected Malware Attachments Floating Around | Main | Opting In Ticks Me Off »

February 19, 2008

IRS Refund Scam: Old Wine, Old Bottle

It's déjà vu all over again, but with monetary inflation thrown in for good measure.

Yes, here in the U.S. we're nearing income tax season. We have the Internal Revenue Service (IRS) on the brain, and it's usually not a good feeling, either because we owe money, or we have to fill out those infernal forms by April 15th.

Ah, but a crook is here to brighten our day (and lighten our sense of personal identity security). Our inbox shows this initial bit of info, which might be unnerving:

From: "IRS" <service@irs.gov>
Subject: IRS Notification - Fiscal Activity

"Fiscal activity?" What could that mean? We rush to open the message, which at least bears no attachment.

Inside we find the latest version of a con:

IRS phishing email message

I say "latest version" because I displayed a more artfully crafted instance from almost two years ago here. Notice that the amount has risen by over a couple of hundred smackers.

The URL behind the "click here" is to a hijacked Romanian web site. And, damn, if it doesn't look legit (except for the .ro URL, that is). The first screen pulls the IRS logo from the real IRS site, and many of the links point to irs.gov, as well:

IRS phishing site, page one

The amount of this supposed refund is duly and prominently displayed on the page. There was no indication of the amount being passed along to the phony site in the link URL, so I guess everyone is getting a $268.32 refund on this campaign. Whoopee!

If you're dumb enough to fill out the first page with your Social Security Number, you'll proceed to the next page, where additional identity data is requested of you:

IRS phishing site, page two

It's kinda funny that the IRS wants your mother's maiden name here, yet they do not collect that information on otherwise invasive tax forms. But, ooh, that logo looks real, and the Submit button has a drop shadow. It must be legit, right?

Onward to page three, where you are asked for your credit or debit card information:

IRS phishing site, page three

The program running behind these pages is not merely a form-data-grabbing automaton. It actually tries to verify that the credit card number you provide is a valid number (or at least valid first eight digits). It simply won't accept totally bogus numbers.

I get a kick out of the Note at the bottom of these pages, recommending that you close the browser after submitting the refund request. I think that's to prevent the casual user from accidentally noticing after the fact that the URL in the address bar isn't irs.gov or anything close.

If this seemingly complex web site seems like a long way to go to capture personal identity and credit card data, you'd be right. But it means that such data is still valuable enough to make it worthwhile for someone, somewhere to develop the software behind this activity. This is most likely a kit of some kind that anyone desiring to rip off people from their home-based business can find on the Internet. Thus, the "kingpin" behind it all collects moolah no matter what—and, as has been detected elsewhere, may even be stealing the captured data from the kit buyers who do the legwork installing the kit on hijacked servers and paying for the botnet mailings.

So, what's the difference between the IRS refund scams of 2006 and 2008? Simply the promise of a $204.52 larger refund.

The value of identifying a scam when you see it? Priceless.

Posted on February 19, 2008 at 05:41 PM