Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

"Picture-in-picture" Tax Rebate Scam

Created: 27 Sep 2010
MarissaVicario's picture
0 0 Votes
Login to vote

Posted on behalf of  Nick Johnston, Senior Software Engineer, Symantec Hosted Services

HMRC, the UK's tax collecting agency, recently announced that six million people in the country have paid the wrong amount of tax and stated that it would start sending letters to the affected people. Depending on their circumstances, people would be invited to claim overpaid tax back, or send a demand for payment of unpaid tax.

When we heard this announcement we expected it would not be long before we saw phishing mail trying to take advantage of the confusion caused by the announcement, particularly as the majority of affected people are owed money. Recently we saw an interesting phishing scam, which although doesn't directly refer to HMRC's announcement, it is perhaps more likely to trick people into revealing confidential information since many people are now hoping for an unexpected refund.

The phish message claims that the recipient is entitled to a refund, and includes an HTML attachment, which when opened uses frames to load the fake site (now taken down) hosted on a compromised server:


The site itself is noteworthy as it uses a primitive "picture-in-picture" attack to appear like a PDF document being shown in a web browser using a plugin. A "picture-in-picture" attack involves using screenshots or creating on-screen controls and widgets to mimic the appearance of either an application (such as a PDF reader) or, in some cases, a whole Windows desktop. This phish site specifies a background image, shown below, which is a modified screenshot of a common PDF reader application:

The text and form on the site is then displayed on top of this background, making it look like a PDF, which some users might think is more legitimate.

One aspect of the screenshot that is rather unusual is that it's from a 72 page document (note "1 / 72" in the toolbar). It's unclear why the phisher would use such a large document when the text on the phish site is limited and the crude "picture-in-picture" attack offers no way to move between pages. Perhaps the phisher simply used the first PDF document they came across. Although this technique is interesting, it's a rather poor effort by the phisher, as selecting text reveals extra spaces used to pad the text so that it appears in the appropriate "document area" of the fake PDF reader:

Viewing the source of the page shows many non-breaking space characters (the HTML   named entities) before "Are you an United Kingdom Resident?":

At 1,260 pixels wide, the fake PDF reader background image is also too narrow, so users viewing the site with a high resolution monitor will see it repeat horizontally, looking unusual.

Another interesting aspect of this phish is the flawed and amateurish credit card number validation code. Invalid credit card numbers are of no use to a phisher, and this particular phisher validates credit card numbers using client-side JavaScript. Instead of using the Luhn algorithm (ISO/IEC 7812-1), the code simply looks for a number of hard-coded invalid-looking credit card numbers such as:

This is particularly odd as at least in this part of the phish, the phisher isn't even asking for credit card details. This suggests that the phisher has simply crudely modified an existing phishing kit.

Expect this type of tax-related phishing to increase as confusion and uncertainty about HMRC's announcement continues.