A warning to individuals filing taxes in the United Kingdom: Cyren has identified a tax refund phishing email that, at first glance, appears to come from HM Revenue & Customs (HMRC), the UK’s tax, payments, and customs authority. The fraudulent email tries to trick the recipient into opening a PDF by suggesting that the victim’s tax refund information is now available for viewing. Once the email is opened, the victim is encouraged to click a link which redirects to a phishing site seeking the victim’s personal credentials. These phishing documents are detected and blocked by Cyren as PDF/Phishing1.CYO.
Figure 1: HMRC Refund Phishing E-mail
Link Redirection Scheme to Fool Security
Upon opening the attachment, victims find a document that uses a logo similar to the actual HMRC logo. To make the document appear more legitimate, the fraudsters include a dollar amount for the tax refund and then use scare tactics to encourage link clicks by telling recipients “If you don’t create a government gateway account, you will not receive your refund.”
Figure 2: HMRC Tax Refund Phishing Document
In examining the phishing email and attachments, Cyren found a link redirection scheme involving legitimate sites, such as Google or Adclick, to make the request seem genuine—a common technique often used to cloak malicious phishing URLs. Taking advantage of these redirection schemes may circumvent email and URL blocking due to the presence of legitimate domains, which are commonly whitelisted by most scanning services.
Phishing URL Masquerades as Adclick URL
As shown in the examples below, the actual phishing URL is passed as the ad url parameter:
Figure 3: Criminals attempt to obfuscate the phishing URL by passing it as an “Adclick” URL
Cyren identified the following Adclick links redirecting to a phishing site:
- hxxp://ocean-graphics.com.au/monday
- hxxp://rosemarosszeky.com/saturday
- hxxp://macchiagroup.com.au/Wednesday
- hxxp://marindasdancing.com/Wednesday
- hxxp://www.leesons.com.au/alterome
- hxxp://ocean-graphics.com.au/monday
- hxxp://rosemarosszeky.com/saturday
- hxxp://macchiagroup.com.au/Wednesday
- hxxp://marindasdancing.com/Wednesday
- hxxp://www.leesons.com.au/alterome
- hxxp://www.lmische.com.au/screen
Cyren also identified the following websites as possibly hacked to host phishing sites related to this tax scam:
- hxxp://ocean-graphics.com.au/monday
- hxxp://therockinghorsestable.com.au/Saturday
- hxxp://austudentvisa.com.au/home
- hxxp://mangowoodfarmalpacas.com.au/home
- hxxp://www.lmische.com.au/screen
Figure 4: Site has been flagged as possibly hacked
Tax Season Means More Scams
With tax season underway, email scams will certainly be increasing. Be on the lookout for emails purporting to come from government tax organizations, such as HMRC and the U.S. Internal Revenue Service (IRS) that could contain everything from phishing to malware and ransomware. HM Revenue & Customs advises tax payers on their website to watch out for and report tax scams, and that they will “never use texts or emails to tell you about a tax rebate or penalty or ask for personal or payment information.”
Figure 5: The official gov.uk HMRC website provides warnings and advice on tax scams
An official HMRC guide can be found here that informs tax payers and provides examples of phishing emails and bogus contacts.