Thursday, December 29, 2011

HMRC Phishing Scam E-mail

There's a new phishing scam e-mail making the rounds claiming to be from the UK tax organization Her Majesty's Revenue & Customs, or HMRC for short. I've written a piece about this for Sophos' Naked Security blog.

I wanted to include some additional details that were less appropriate for the other article but might interest those interested in tracking phishing campaigns. The attachment is an HTML file that contains a basic form that uses the "post" method to submit the form contents to a server. The server is hosted at an IP address owned by Cybercity, a DSL ISP in Denmark:

http:// 94.145.238 .98/h/w.php

Attempting to visit the URL directly in a browser will redirect to the official HMRC site,; the same redirection occurs after submitting data via the form, obviously in an attempt to make the form submission seem to have been legitimate to unsuspecting victims.

Naturally, just because the IP is from Denmark doesn't mean that the scammer is from there. It could simply be the case that the scammer had remote access to a compromised machine that happened to be located in Denmark.

Here are the Web of Trust and IPVoid reports for this IP address:

As observed by URLVoid, the IP is currently on SURBL's phishing blacklist.

Out of the 43 antivirus engines on VirusTotal, only Sophos currently detects the file as malicious (Mal/Phish-A).

A somewhat amusing side note: I don't even live in the UK, nor have I ever traveled there—and the phishing e-mail was sent to an (America Online) address—so this is obviously not a targeted phishing scam campaign by any means.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .