Another Tax-Rebate Phishing Scam, This Time in Canada

The CofenseTM Phishing Defense Center has observed a phishing email targeting Canadian taxpayers, similar to HMRC scams we recently reported in the United Kingdom. It’s the latest in a surge of tax-rebate phishing scams seen across the globe, prompting tax-collection agencies to issue consumer warnings.

While the message does not contain much detail, it delivers a PDF document as an attachment. This PDF document advises recipients that the Canada Revenue Agency has sent them an INTERAC e – Transfer and they can deposit the fund by following the instructions or by clicking the embedded link in the PDF. Please see Figure 1 for the email body and Figure 2 for the PDF document.

Figure 1 – Email body

Figure – 2 Attached PDF file

When the “Deposit your money” button is clicked, the embedded URL redirects the victim to the fake Canada Revenue Agency phishing page.

After asking the victim to enter personal details on the first page and valid financial credentials on the next page, the phish redirects the victim to the legitimate Canada Revenue Agency website (Figure 3).

Figure 3 — Canada Revenue Agency phish financial details page

Legitimate Canada Revenue Agency Page

Let’s dissect the message closely:

The email is crafted to appear to be from centernotify-interacraca3d-4f4[@]mtstax[.]caa tax return and bookkeeping firm in Ontario, Canada. However, the message was sent from a Virtual Private Server (VPS), hosted in Figure 4 depicts the message header.

Figure 4 – Message Header

Upon further investigation, MTS TAX is aware of this scam and have notified their customers on their web page (Figure 5).

Figure 5 – MTS TAX Notification of the Scam

Indicators of Compromise [IOC]

Attached PDF Document

File Name: USER-TAX-REFUND-SECURED.pdf

MD5:2ac1f60f9a6da6e7585ba56b59f18635

SHA256:37d348615ab5ec74b90f955df02335f8a878c52644544754af057d4061e5e00c

Size: 237,316 Bytes

The file hash is confirmed as malicious by Virtus Total based on certain object streams and AcroForm objects embedded in the PDF, but it does not contain any JavaScript or any action tags within the PDF. However, clicking the hyperlink and visiting the embedded URL pulls JavaScript files from various sources to check Geo-IP location and web analytics (Figure 6).

Figure 6 – PDF analysis 

Embedded malicious URL in PDF

hxxp://3924[.]return-canada[.]update[.]constellationforum[.]com

Associate IP address: 107[.]180[.]58 [.]61

Redirected URLs:

hxxp://canada-cra[.]ssl2018[.]constellationforum[.]com/start[.]php?program=tax&target=details&lang=en&idp=cms;jsessnid=guixEuzQXSHPFnfCkgWQvaDGzjBQjqluGGkybtMCWZa

hxxp://3924[.]return-canada[.]update[.]dealmakers[.]com/start[.]php?program=tax&target=details&lang=en&idp=cms;jsessnid=LapqyjtRjQuAUUBPjVitypGVIcNGApIrqvPrEaTiZggrVWphHj

Associated IP address:

107[.]180 [.]58 [.]61

107[.]180 [.]4 [.]53

Please note that the above URLs are not accessible via any other Geo-IP location other than Canadian IP addresses. If accessed from any other Geo-IP location, it redirects to YouTube.

Tips to Prevent Becoming a Victim

Finally, as always advised by Cofense, consider these best practices to avoid falling victim to such scams:

  1. First and foremost, be certain that you are expecting an email from the person or organization regarding the subject.
  2. Check the email for grammatical errors, tone and subject line of the message – consider emotional triggers i.e. urgency, fear etc.
  3. Don’t open any attachments unless you are certain! Even a genuine looking file can be malicious.
  4. Hover over a link to see where it really takes you and be cautious as there may be subtle differences between the fake URL and the genuine URL.
  5. Instead of visiting the URL by clicking the unknown hyperlink, search and visit your required website yourself directly.

To stay on top of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

Why Customers Love Our Board Reports on Their Phishing Defense
Abusing Microsoft Windows Utilities to Deliver Malware for Fun and Profit

Leave a Reply