Cofense Email Security

IRS Tax Refund Email Phishing Campaign: Claim Your Phish

By Harsh Patel, Cofense Phishing Defense Center

The U.S. tax season is underway and emails from the IRS are normal, even expected. In addition to that is stimulus check anxiety, users questioning whether they will receive it and waiting for any information that becomes available. Threat actors are adept at crafting their attacks using current events as has been noted with the pandemic and the numerous campaigns that grew from it. In this case, a well-conditioned user reported an email using Cofense Reporter, which sent it to the Cofense Phishing Defense Center (PDC) that was able to quickly alert via Cofense Triage. This email is a newer phishing campaign that steals tax-filing information by posing as an IRS email related to the much needed stimulus check.

Figure 1: Email Body

The subject and supposed sender of this phishing attack is immediately eye-catching: “Recalculation of Your Tax Refund Payment” followed by the sender name: “IRS”. Most users realize it’s unlikely this email would end up in their work email account rather than their personal email account.

The email body begins with “Dear Applicant.” With this type of wording, it’s easy for the threat actor to send this email to any number of people at any company. Adversely, the lack of specification to whom the email is addressed is a characteristic of potentially malicious emails users have been warned about. This may explain the line at the bottom of the email that states “This is an automatically generated email sent to” followed by the recipient’s email, perhaps to add a layer of specificity for authenticity.

Reading further, the email informs the user that, upon inspection of their last tax refund, they are now eligible for “an extra tax refund of 1400.00 USD”. Based on the amount and timing, it can be assumed that this was referencing the recent stimulus check.

Figure 2: Email Header

The attacker spoofed the from and return-path field to show that this email is coming from the address: [email protected], where company.com is replaced with the user’s company name. However, upon closer inspection, the actual originating source is shown in the headers as “X – Authenticated-UID” coming from an external compromised user.

Figure 3-4: Phishing Page

Upon first visiting the page, the website prompts the user with the notification “AUTHORIZED USE ONLY” to appear authentic. Anyone visiting the legitimate IRS.gov website is familiar with this popup warning, which the threat actor took the additional step of replicating. However, a well-conditioned user would realize the legitimate IRS site doesn’t change the URL. Notably, this attack was hosted on the domain amplifyapp[.]com domain. This domain is associated with the AWS Amplify service which, according to the website, is the “Fastest, easiest way to build mobile and web apps that scale.” With this service, the threat actor has crafted this near identical IRS information page to harvest user tax information: social security number, name, birth date, filing pin and so on. Upon submitting all the required fields, the user is then redirected to the official IRS homepage as seen in Figure 5. This is the final page.

Figure 5: Redirect Page

The campaign shows that threat actors quickly modify their tactics to match current world events and stay topical to users they are targeting. With Cofense Managed Phishing and Defense, provided through our Phishing Defense Center (PDC), enterprises benefit from our complete view of real phish. Threats like the one outlined here will be stopped dead in their tracks because a conditioned user quickly identified this as suspicious, and reported the email.

 

Indicators of Compromise IP
hXXps://main[.]d3e0nbfvettk5z[.]amplifyapp[.]com

99[.]86[.]189[.]62

99[.]86[.]189[.]68

99[.]86[.]189[.]108

99[.]86[.]189[.]58

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.