The Income Tax Department of India recently announced that the last date for sending income tax returns for AY 2010-2011 has been extended to July 31, 2011. During 2010, phishers had plotted their phishing scams based on the tax return deadline. As the deadline for tax returns of the current financial year approaches, phishers have returned with their stream of phishing sites.
This time, phishers have spoofed the Reserve Bank of India’s Web site as a ploy for a tax refund scam. The phishing site attempts to lure users by stating that the bank would take full responsibility for depositing the tax refund to the user’s personal bank account. The user is prompted to select the name of the bank and enter their customer ID and password. There is a list of eight banks to choose from. In this way, phishers intend to steal the confidential information of customers of several banks from a single phishing site. The following page asked for credit/debit card number and PIN number. After these details are entered, the phishing sitedisplays a message acknowledging that the request for the tax refund has been submitted successfully. The user is then redirected to the legitimate Web site of Reserve Bank of India. If users fall victim to the phishing site, phishers will have stolen their information for financial gain.
Symantec has been in contact with the Reserve Bank of India. The bank has stated that emails sent in its name to customers have been observed asking for bank account details. The Reserve Bank has clarified that it has not sent any such email and that the Reserve Bank (or any bank) never issues communication asking for bank account details for any purpose. The Reserve Bank has also appealed to members of public to not respond to such email and to not share their bank account details with anyone for any purpose.
The phishing site used a numbered IP domain (for example, domains like hxxp://255.255.255.255) hosted on servers based in St Louis, USA. The same IP was used for hosting phishing sites of several other Indian banks. The IP belongs to a Web site of a company that provides roofing for houses. The IP of the company’s Web site was compromised to host the phishing sites.
Internet users are advised to follow best practices to avoid phishing attacks: • Do not click on suspicious links in email messages. • Avoid providing any personal information when answering an email. • Never enter personal information in a pop-up screen. • Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.