Share:

It’s about the time of year when people should be receiving tax refunds from the IRS, which gives attackers a great opportunity to craft phishing emails. PhishMe users recently reported a round of phishing emails purporting to be from the IRS about tax refunds:

IRS phishing email

Figure 1 — IRS-themed phishing email

Mousing over the link reveals this URL: http://irk-billling[d]com/irs/, which doesn’t look like something the IRS would send. For starters, there are too many L’s in billing and they misspelled IRS. Once the user clicks, we can see that this is a data-entry phishing attack, a classic tactic for stealing passwords and other credentials. (For more on data-entry attacks, check out Aaron Higbee’s webinar and Rohyt Belani’s blog post.)Here’s what the page looks like. (We used fake credentials, of course.)

Data Entry Page

Figure 2 — Phony Data Entry Page

Once submitted, the user is prompted with an error that the page didn’t work.

Error Message

Figure 3 — Error Message

By looking at Wireshark, we can see that the data was still POSTed back to the attackers. The content posted is in the lower image.

Contents

Figure 4 — Contents being posted to attackers

Thanks to a coding error on the attackers’ part, we can specify how much we want back for our refund, as they defined this field as a text box. If the user wasn’t already tipped off that this is fake by the misspellings in the URL and data entry page, the ability to enter any figure into the refund field should be another indicator that this isn’t actually from the IRS.

Coding Error

Figure 5 — Coding error allowing user to specify refund amount

As previously mentioned, data-entry tactics are a classic attack method, and when conducting OSINT research on this attack, we found that the content the attackers used was tried and true as well.

We often see phishing attacks repeat themselves, and when investigating the content of the phishing website, we found the same exact text and format in an IRS phishing webpage in an archive that was dated March 14th, 2006. The source was taken from the “irfofgetstatus.jsp” on the IRS webpage itself (scraped) and republished from the local domain (based on the other references on the webpage).
The email originally came from Tel Aviv, based on the following section of email header (domain name “.” obfuscated to avoid unintentional clicking of the link):
Received: from tdtcthichtdtigj (192.168.1.181) by
tdtcthichtdtigj[.]greaterlouisville[.]com (77.125.102.195) with Microsoft SMTP

IP Location Israel Tel Aviv 012 Smile Communications Ltd.
ASN AS9116 GOLDENLINES-ASN 012 Smile Communications Ltd.,IL (registered Dec 23, 1998)
Whois Server whois.ripe.net
IP Address 77.125.102.195

Phishing domains that have the same exact interface are as follows (obfuscated links sourced from https://www.mywot.com/en/forum/49218-small-botnet-spoofs-usa-irs ):

hxxp://irc-killling[.]com/irs/
hxxp://91[.]219[.]29[.]147/irs/
hxxp://107[.]181[.]161[.]165/irs/
hxxp://185[.]14[.]28[.]90/irs/
hxxp://irg-billling[.]com/irs/
hxxp://ipc-billling[.]com/irs/
hxxp://irk-billling[.]com/irs/
hxxp://irs-billllng[.]com/irs/
hxxp://lrs-billling[.]com/irs/
hxxp://5[.]34[.]183[.]170/irs/
hxxp://irq-billling[.]com/irs/
hxxp://jrs-billlling[.]com/irs/

Google Chrome blocked some of the domains as being phishing websites, as shown below. To an extent, this can really help vulnerable users from getting compromised, but it should be viewed as a layer of protection in addition to a properly trained user base.

Chrome Message

Figure 6 — Chrome Message

In a nutshell, even though monitoring/detection and prevention technologies have existed for a long time, the data entry attack has not died yet. Since the main vulnerability that the attackers exploit here is the human weakness, the best way to manage this threat is to augment a security technology strategy with proper employee training, education and user experience.