The URL had me fooled for a second -- it looks like a link to govbenefits.gov with a long
identifier. It turns out that the badguys are using a poorly secured redirect page (externalLink.jhtml) on govbenefits.gov to send people to porterfam.org. Of course the resulting page asks for SSN, credit card number, etc -- all the things needed for identity fraud.
And here is the email:
From: tax-returns@irs.gov <tax -returns@irs.gov>
Reply-To: no-reply-2005@66.34.46.216
To: my email
Date: Nov 26, 2005 12:16 PM
Subject: [IRS] Tax Refund
You are eligible to recieve a tax refund for $571.94.
To access the form for your tax return use the link below:
http://www.govbenefits.gov/govbenefits/externalLink.jhtml?url=h%74t%70:%2F%2F%77%77%77%2Eporterfam%2E%6F%72%67%2F2+005%2F%3F_cmd=/cgibin/2005/trefund/id=96596,00
(copy and paste this link in your browser address bar)
12 days left to apply for your refund. You may not receive your refund as quickly as you expected. A refund can be delayed for a variety of reasons. For example, a name and Social Security number listed on the tax return may not match the IRS records. You may have failed to electronically sign the return or applied after the deadline.
This email has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.
The bad guys are getting pretty tricky...