The IRS is reportedly offering a refund just for filling in details of an online form. Sounds too good to be true, isn’t it?

It is. Clicking “click here” will actually redirect users to any of the following phishing sites. Luckily, all sites are inactive, as of this writing:

* http://www.{BLOCKED}ton.com/bridge/feedback.php
* http://{BLOCKED}tack.net/catalog/images/awstats/.stats/.secure/.server/.refund/login.html
* http://{BLOCKED}ab.hoseo.ac.kr:8080/Refund.html
* http://www.{BLOCKED}ho.ch/Tcho.chindex/jpg/not.php
* http://www.{BLOCKED}-let-go.net/gallery/include/help.php
* http://{BLOCKED}aintball.spb.ru/install/what.php
* http://{BLOCKED}anna.info/modules/www.irs.gov/
* http://{BLOCKED}0-167-2-130.sd.sd.cox.net/help/feedback.php
* http://{BLOCKED}anna.info/gallery/lang/irs.php
* http://www.{BLOCKED}an.agri-jahad.ir:84/IRS/redirect.html
* http://www.{BLOCKED}ive.com/doowop/best-of-doowop/_vti_cnf/images/images.php
* http://{BLOCKED}o.com/**http://61.74.158.71/recicler.php
* http://{BLOCKED}amnet.nfshost.com/gallery/themes/water_drop/images/.database/index.php
* http://www.{BLOCKED}e.ru/lang/index.php
* http://www.{BLOCKED}hunter.ru/img/help.php
* http://{BLOCKED}.{BLOCKED}.18.110:84/IRS.gov/

Believed to have been making rounds since late last August, this is yet another spammer’s ploy to phish for the account details of unsuspecting users. Though the IRS itself has warned the public repeatedly that it does not make contact through email, spammers are still making use of the tried-and-tested “authority” model as social engineering technique to trick users into giving sensitive information. Add a little monetary reward and someone is bound to take the bait.

This particular fake IRS spam blast was created using a rock-phishing kit that is still available in one of the open directories of the known phishing domains. Other subject headings for email containing this spam run include:

* Notification – Fiscal Activity (Tax Refund)
* IRS Notification – Fiscal Activity
* Notification of Tax Refund on your VISA or MasterCard Now
* Urgent Notification !
* IRS Notification – Tax Refund Online Form

Not too long ago, spammers used the IRS angle to scare people into opening a corrupt .PDF file, which actually proved to be TROJ_ARTIEF.B in hiding. Other malware families are also notorious for using tax as the main subject for their spam, specifically BAGLE variants.

A similar incident believed to be also created using a rock-phishing kit has occurred for the NatWest online banking site. See screenshot below:

The following sites were seen to be hosting these phishing scams:

* {BLOCKED}opoe5.cn
* {BLOCKED}opoe4.cn
* {BLOCKED}opoe3.cn
* {BLOCKED}opoe2.cn
* {BLOCKED}opoe1.cn
* {BLOCKED}nigor5.cn
* {BLOCKED}nigor4.cn
* {BLOCKED}nigor3.cn
* {BLOCKED}nigor2.cn
* {BLOCKED}nigor1.cn
* {BLOCKED}elstrom5.cn
* {BLOCKED}elstrom4.cn
* {BLOCKED}elstrom3.cn
* {BLOCKED}elstrom2.cn
* {BLOCKED}elstrom1.cn
* {BLOCKED}niole2.cn
* {BLOCKED}otpor1.cn
* {BLOCKED}opyor1.cn
* {BLOCKED}oporr1.cn
* {BLOCKED}opo6r1.cn
* {BLOCKED}opo4r1.cn
* {BLOCKED}opo3r1.cn
* {BLOCKED}opo2r1.cn
* {BLOCKED}opo1r1.cn
* {BLOCKED}op5or1.cn
* {BLOCKED}7opor1.cn
* {BLOCKED}lopor1.cn
* {BLOCKED}lopor1.cn
* {BLOCKED}lopor1.cn
* {BLOCKED}ker17.cn
* {BLOCKED}ker15.cn
* {BLOCKED}ker13.cn
* {BLOCKED}ker12.cn
* {BLOCKED}p1209.cn
* {BLOCKED}5p1209.cn
* {BLOCKED}3p1209.cn
* {BLOCKED}1p1209.cn
* {BLOCKED}op1209.cn
* {BLOCKED}op1209.cn
* {BLOCKED}op1209.cn
* {BLOCKED}op1209.cn

Always keep in mind that government agencies do not initiate contact by email, much less ask for personal data through email. Email is just too unsecure. If emails like these are received, it would be best to visit the yellow pages, call the respective agency yourself, or drop by for a visit.

Who knows? You may have just saved yourself from more than a promised rebate.

Additional information provided by Elizabeth Bookman.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!