Skip to content

Fraudsters offer “tax refunds”

I run into new phish email every day - not because of any flaw in my junk mail filters, but because I want to see what is going on. Although most phish attempts pose as mail from a financial institutions, such as PayPal, there are exceptions.

One scam that has surfaced now and then during the last couple of years comes in the guise of a purported tax refund from the internal revenue service of the USA. (I wonder how many people with no income from the US still fall victim for this phish.)

As an example, this specimen labeled IRS Notification - Tax Refund recently arrived in my mailbox:

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $279.30. — To access the form for your tax refund please click the link below http://mail.academicloangroup.com:443/IRS.gov/refunds.php — Regards, Internal Revenue Service

The site mentioned is already down, but it is not the only one to have been used. A portion of the injection and host sites appear to be cracked webmail servers, just like this one.


Another URI that has been used is http://rds.yahoo.com/**http://075.0112.0236.0107/recicler.php. This one requires some deciphering. First of all, it makes use of a Yahoo redirection service. Secondly, the IP address where the phish site is hosted is not 75.112.236.107, as one might think. Instead, the leading zeroes indicate an octal numeral, which translates to 61.74.158.71 in decimal notation. Here’s how:

first octet (075) 0*82+7*81+5*80=61
second octet (0112) 1*82+1*81+2*80=74
third octet (0236) 2*82+3*81+6*80=158
fourth octet (0107) 1*82+0*81+7*80=71

This site has also been taken down already.

(Why the Yahoo redirector must

  1. exist
  2. accept requests without a Referer: line pointing to a Yahoo page
  3. accept URIs with octal IP addresses

…I have no idea.)

Humour points are awarded for these warnings:

For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated (sic).

Copyright 2007, Internal Revenue Service U.S.A. All rights reserved.

Have you been affected by fraudulent email messages? Please share your experiences by leaving a comment!

Post a comment Trackbacks closed RSS 2.0 feed for these comments This entry (permalink) was posted on Saturday, September 29, 2007, at 14:51:00 by Thor Kottelin. Filed in Internetworking/Mail and news, Security and tagged , , , , , , , , , , , , , , , , , , .

2 Comments

  1. Anonymous wrote:

    The internet storm center recently had an item about redirects in spam messages here:
    http://isc.sans.org/diary.html?storyid=3408
    It gives a small indication of why they do it, but more importantly they show new redirect tricks spammers are using that are quite funny.

    Posted on 01-Oct-07 at 12:29:00 | Permalink
  2. Anonymous wrote:

    thanks Anonymous

    Posted on 22-Oct-07 at 20:11:00 | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*