Phishers celebrate Eid ul-Fitr (Feast of Breaking the Fast, a.k.a. End of Ramadan) with much activity, casting their nets on the Internal Revenue Service (IRS) and PayPal users using a Philippine-based Web site. What fits the Eid more is that the Web site used belongs to a university in the Mindanao region, where the largest population of Muslims are found in the Philippines.

The phishers created folders that were appended to the Western Mindanao State University URL (wmsu.edu.ph). The exact URLs appeared to be the following:

• wmsu.edu.ph/{BLOCKED}s/*
• wmsu.edu.ph/www.{BLOCKED}l.com/*
• wmsu.edu.ph/{BLOCKED}s/*
• wmsu.edu.ph/.us/{BLOCKED}r.php%3f*

When users access the said URLs, spoofed login pages to the IRS and PayPal are displayed:

TrendLabs Manila has contacted WMSU regarding this matter. WMSU, in turn, has already taken steps to clean their site and investigate the root cause of this incident. Meanwhile, Trend Micro users are assured that the abovementioned URLs are now blocked by Trend Micro products.