Interesting IRS Phishing Method
May 20th, 2008 by Steven AdairThe phishers out there are once again finding new ways to obfuscate their URLs in attempts to fool end users. I am pretty sure I saw this method mentioned this elsewhere recently, but I cannot recall where. In any event, this recent phish found itself into SPAM folder on one of my e-mail accounts. Notice the URL they provided:
Subject: Tax Notification
From: “Internal Revenue Service” <taxrefund@1×8c.8xdb95d4.irs.gov>
Date: Tue, May 20, 2008 6:36 amInternal Revenue Service (IRS)
United States Department of the TreasuryDear Taxpayer,
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.Please submit the tax refund request and allow us
6-9 days in order to process it.A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.To access the form for your tax refund, use the following personalized link:
http://0×7C.0xDB11D1/www.irs.gov/
Regards,
Internal Revenue ServiceDocument Reference: (0×7C.0xDB11D1).
Notice that the URL is http://0×7C.0xDB11D1/www.irs.gov/ and that they used 0×7C.0xDB11D1 as the “Document Reference” in attempt to make it look more official. Well it turns out that 0×7C.0xDB11D1 really converts to an IP address in Taiwan - 124.219.17.209. Visiting this IP address or the URL abovve ends up redirecting you http://www.comtipps.de/www.irs.gov/index.htm?memberID=0×7C.0xDB.0×11.0xD1.
This then tries to get your social security number, credit card information (including CVV code and ATM PIN), date of birth, full name and address, phone number, and finally e-mail address (wouldn’t one assume they already have this if they e-mailed you? :D). Be on the look out for this slightly different take on an old trick.