The CofenseTM Phishing Defense Center has observed a phishing email targeting Canadian taxpayers, similar to HMRC scams we recently reported in the United Kingdom. It’s the latest in a surge of tax-rebate phishing scams seen across the globe, prompting tax-collection agencies to issue consumer warnings.
While the message does not contain much detail, it delivers a PDF document as an attachment. This PDF document advises recipients that the Canada Revenue Agency has sent them an INTERAC e – Transfer and they can deposit the fund by following the instructions or by clicking the embedded link in the PDF. Please see Figure 1 for the email body and Figure 2 for the PDF document.
Figure 1 – Email body
Figure – 2 Attached PDF file
When the “Deposit your money” button is clicked, the embedded URL redirects the victim to the fake Canada Revenue Agency phishing page.
After asking the victim to enter personal details on the first page and valid financial credentials on the next page, the phish redirects the victim to the legitimate Canada Revenue Agency website (Figure 3).
Figure 3 — Canada Revenue Agency phish financial details page
Legitimate Canada Revenue Agency Page
Let’s dissect the message closely:
The email is crafted to appear to be from centernotify-interacraca3d-4f4[@]mtstax[.]caa tax return and bookkeeping firm in Ontario, Canada. However, the message was sent from a Virtual Private Server (VPS), hosted in Figure 4 depicts the message header.
Figure 4 – Message Header
Upon further investigation, MTS TAX is aware of this scam and have notified their customers on their web page (Figure 5).
Figure 5 – MTS TAX Notification of the Scam
Indicators of Compromise [IOC]
Attached PDF Document
File Name: USER-TAX-REFUND-SECURED.pdf
Size: 237,316 Bytes
Figure 6 – PDF analysis
Embedded malicious URL in PDF
Associate IP address: 107[.]180[.]58 [.]61
Associated IP address:
107[.]180 [.]58 [.]61
107[.]180 [.]4 [.]53
Please note that the above URLs are not accessible via any other Geo-IP location other than Canadian IP addresses. If accessed from any other Geo-IP location, it redirects to YouTube.
Tips to Prevent Becoming a Victim
Finally, as always advised by Cofense, consider these best practices to avoid falling victim to such scams:
- First and foremost, be certain that you are expecting an email from the person or organization regarding the subject.
- Check the email for grammatical errors, tone and subject line of the message – consider emotional triggers i.e. urgency, fear etc.
- Don’t open any attachments unless you are certain! Even a genuine looking file can be malicious.
- Hover over a link to see where it really takes you and be cautious as there may be subtle differences between the fake URL and the genuine URL.
- Instead of visiting the URL by clicking the unknown hyperlink, search and visit your required website yourself directly.
To stay on top of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.