Sunday, November 27, 2005

govbenefits.gov used to cover phisher's hacking

I just got spam from a phisher allegedly from tax-returns@irs.gov saying I have a $571.94 tax refund that needs to be claimed in 12 days.

The URL had me fooled for a second -- it looks like a link to govbenefits.gov with a long
identifier. It turns out that the badguys are using a poorly secured redirect page (externalLink.jhtml) on govbenefits.gov to send people to porterfam.org. Of course the resulting page asks for SSN, credit card number, etc -- all the things needed for identity fraud.


And here is the email:


From: tax-returns@irs.gov <tax -returns@irs.gov>
Reply-To: no-reply-2005@66.34.46.216
To: my email
Date: Nov 26, 2005 12:16 PM
Subject: [IRS] Tax Refund


You are eligible to recieve a tax refund for $571.94.


To access the form for your tax return use the link below:


http://www.govbenefits.gov/govbenefits/externalLink.jhtml?url=h%74t%70:%2F%2F%77%77%77%2Eporterfam%2E%6F%72%67%2F2+005%2F%3F_cmd=/cgibin/2005/trefund/id=96596,00
(copy and paste this link in your browser address bar)


12 days left to apply for your refund. You may not receive your refund as quickly as you expected. A refund can be delayed for a variety of reasons. For example, a name and Social Security number listed on the tax return may not match the IRS records. You may have failed to electronically sign the return or applied after the deadline.


This email has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.



The bad guys are getting pretty tricky...

2 comments:

  1. That is a pretty tricky thing to do. Find an poorly written re-direct page and use that to mask the target. As I recall, in your earlier Bloxsom days, you had a link counter that worked by redirecting to the URL supplied as a parameter. I'd imagine that there are lot of those types of things hanging around because of web manager's desires to track the links to outgoing sites that people use. Find one at an official site and suddenly your phishing expedition looks a lot more legitimate, especially if you do a little extra encoding on the URL as the above did.

    These guys find any hole that they can exploit...

    ReplyDelete
  2. Even though the error is with the govbenefits.gov web site many articles state the error lies with the IRS web site. The IRS gets enough bad press without the help from the broadcasting of inaccruate information.

    Unfortunately, the error still exists as that is how I was bounced to this site.

    ReplyDelete