IRD warns of fake tax email

Phishing scams, hijacking of TM accounts, keyloggers and all manner of other nasties. This is the place to report them and get help if you've been hit.
seabird3
Members
Posts: 615
Joined: Thu Nov 23, 2006 7:56 pm
Location: Waikato

IRD warns of fake tax email

Post by seabird3 » Mon Aug 30, 2010 7:45 pm

IRD warns of fake tax email

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10670027

[quote]A warning has been issued about a fake email which claims to be from the Inland Revenue Department telling recipients they are owed money from a tax refund.

The email, from the address tax-refund@ ird. govt. nz with the subject line "Tax Refund", tells recipients they are owed $609.30 in tax, and asks them to click on the link http://www.ird.govt.nz/tax/refunds to receive their refunds.

They are then diverted to a website pretending to be the IRD's which asks for their credit card details.

The email ends with the incorrect name for the department - it is signed "regards, Inland Revenue Service".

The Ministry of Consumer Affairs monitors frauds and spokeswoman Kate Camp said she was not aware of calls to the ministry reporting this specific scam recently.

But she said the email followed the general formula of the most common ones and tax return scams were one of the "usual suspects".

"Why would the IRD be refunding your credit card?"

Ms Camp warned anyone who received the email, or any others like it, to ignore it and reiterated the ministry's warnings to consumers never to reveal personal bank details or passwords.

"They count on the fact that most people might not be taken in but if there's just one person ... in 10,000, that's what they're hoping for. The best thing is don't respond, don't send an email back, don't click on the link."

Contacting the person who sent the email would send a signal to fraudsters that the email address was valid which could pose further risks, she said.

"Alarm bells should be ringing when anybody asks you for your bank or credit card details like that.

"If you think it is legitimate, the best thing ... rather than clicking on the link, is to go to the IRD website yourself or ring them up yourself having looked them up in the phone book. If it seems too good to be true, it probably is and that's usually the way all scams work."

The IRD issued a warning about the fraud on its website on August 6.

A spokeswoman said yesterday: "We simply don't send people emails that offer people refunds, it's not at all the way that Inland Revenue conducts its business."[/quote]

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email - Update

Post by Foggyone » Wed Nov 03, 2010 1:33 am

In the office today and was given this. It's a new wrinkle on the phish in that the form page is supplied with the email, and only goes to the hijacked site once the form is submitted.

Email

Image

Form (in two images)

Image
Image

This went to a hijacked account http://m-wellwe.com/process.php" onclick="window.open(this.href);return false;. This site has been taken down. Belonged to some woman in Canada.

This would work well if the form submitted to one of several sites. It would be trivial to edit the HTML file attached so that it becomes a much bigger job to take down all the sites.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Fri Dec 17, 2010 6:21 pm

A rerun of the IRD refund scam in this morning. Identical attachment.

The form points to http://rtews.com/process.php" onclick="window.open(this.href);return false; which is a new domain, no doubt registered using stolen credit card details for this scam.
Google, the answer to so many questions!
-----------------------------------------------------

abc
Members
Posts: 4
Joined: Wed Dec 29, 2010 9:27 pm
First Name: Josh

Re: IRD warns of fake tax email

Post by abc » Wed Dec 29, 2010 10:06 pm

New one,, email link goes to http://216-31-226-228.static-ip.telepac ... /form.html" onclick="window.open(this.href);return false; , found http://216-31-226-228.static-ip.telepacific.net/new-z/" onclick="window.open(this.href);return false; which has the file that seems to be storing all the debit card / drivers licence etc info being put in - http://216-31-226-228.static-ip.telepac ... diicot.txt" onclick="window.open(this.href);return false; :shock: :shock: .. Who should it be reported to, to get the pages removed etc?

Headers for anyone interested:
From: Te Tari Taake *Inland Revenue* <ird.service@newzealand.govt.nz>
MIME-version: 1.0
Message-id: <0LE60030FT46EE20@smtp5.clear.net.nz>
Received: •from ip1.tranzpeer.net ([192.168.69.1]:54911) by mxdsrv1.tranzpeer.net with ESMTP (Exim 4.69) id 1PXuAr-000529-EY; Thu, 30 Dec 2010 00:26:33 +1300
•from smtp5.clear.net.nz ([203.97.33.68]) by mxi1.callplus.net.nz with ESMTP; 30 Dec 2010 00:26:33 +1300
•from User (203-167-138-204.dsl.telstraclear.net [203.167.138.204]) by smtp5.clear.net.nz (CLEAR Net Mail) with SMTP id <0LE60030ET46EE20@smtp5.clear.net.nz>; Thu, 30 Dec 2010 00:26:32 +1300 (NZDT)

Return-path: <ird.service@newzealand.govt.nz>
Subject: IRD * Tax Refund Notification *
To: ird.service@newzealand.govt.nz
X-Envelope-To: ******@slingshot.co.nz
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-MSMail-priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Priority: 3

Edit: It could just be me but the .txt file just got cleared so it now has hardly anything on it, just info put in since about 11am..

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Thu Dec 30, 2010 1:24 am

Did you get a copy of the txt file. I have a copy of the current one, and am attempting to contact the lady who has provided her credit card details.

A little later.
Got hold of the lady. She was unaware she had been phished. Off to her bank to get the CC checked/held.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Thu Dec 30, 2010 2:09 am

I'm amazed at how fast the phished details are arriving. It seems like there's
one born every minute (or two). I'm saving the text file as well.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Thu Dec 30, 2010 2:20 am

Victims are still rolling up to get caught.

This is the latest list of those who have provided card numbers.
- Names subsequently removed by admin -

I tried to interest the Police in this. They do not have the manpower to help. Suggested crimestoppers which would be less than useful in a crime currently underway.

Anyone who can contact any of these people, please do so as a matter of urgency.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Still They Come

Post by Foggyone » Thu Dec 30, 2010 2:22 am

In the absence of Police assistance I have sent TV3 an email. They may care to assist and get a good story at the same time.
Google, the answer to so many questions!
-----------------------------------------------------

abc
Members
Posts: 4
Joined: Wed Dec 29, 2010 9:27 pm
First Name: Josh

Re: IRD warns of fake tax email

Post by abc » Thu Dec 30, 2010 3:02 am

Foggyone wrote:Did you get a copy of the txt file. I have a copy of the current one, and am attempting to contact the lady who has provided her credit card details.

A little later.
Got hold of the lady. She was unaware she had been phished. Off to her bank to get the CC checked/held.
Yeah got a copy, emailing you it now..

digidog i tried to pm you the file too but can't add attachment's in pm's, can email you it if you pm a email address

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

More suckers

Post by Foggyone » Thu Dec 30, 2010 3:25 am

There are a number of respondents on the first file who worked out this is a scam. Later ones don't seem as savvy.
I don't know if IE8 advises a phishing site. These victims may all be running earlier Ie's, or something else.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Thu Dec 30, 2010 6:40 am

At just after 7:30 pm the file has been deleted. This probably means it has been retrieved by the crook who will look to monetize this information.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Thu Dec 30, 2010 5:16 pm

Still live this morning.

In the absence of interest by the law enforcement authorities (Police) I have forwarded the detail of victims to the Bank of New Zealand. They tell me they can use the information and I have asked that they forward it to the other banks/cc people. I have also given them the access details so they can monitor new victims.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

BNZ Update

Post by Foggyone » Thu Dec 30, 2010 8:56 pm

Spoke to BNZ security because my email kept bouncing. This was because it contained cc numbers. Their filter must be quite sophisticated.

It turns out they were monitoring the phish, and have all the details I hold. They are in contact with Ecrime, but my guess is the scammer will be coming through proxies, or be operating from an internet cafe, so any IP address will be useless. It's just so damned hard to prosecute cross border crime.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: BNZ Update

Post by digidog » Thu Dec 30, 2010 9:04 pm

Foggyone wrote:Spoke to BNZ security...
Well done Peter. I've been keeping a record of the phished addresses and intended to take it
to the Police today. But if BNZ are on the case that's cool.

I was surprised that the Police showed such little interest yesterday. You might have thought
that a referral to the eCrime unit would have been more appropriate.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Thu Dec 30, 2010 10:03 pm

Yes, I was surprised at the Police response. I spoke to a senior something at the local station. They probably haven't reached the 21st century yet, still using quill pens and gas lighting.

The site appears now to have been removed.

Just before leaving home I noted a victim within my free calling. I phoned her and advised she had been a victim. She tells me her browser is probably not up to date, and then she told me her computer will not now connect to the internet since she got phished. Wonder if there was a sting in the tail from the phish site.
Google, the answer to so many questions!
-----------------------------------------------------

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests