By Jake Longden, Cofense Phishing Defense Center
Taxes and rebates have long been some of a phisher’s favorite targets. Now the coronavirus has provided a fresh new way to exploit this topic: the government grants designed to help small businesses and those out of work due to the pandemic.
The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign in the U.K. that aims to harvest HMRC (Her Majesties Revenue and Customs) credentials and sensitive personal information by preying on employees who are expecting COVID relief grants.
With multiple world governments providing such grants, this is an easily modifiable tactic—simply modify the email to spoof the target country’s tax service.
Figure 1: Email Header
To add authenticity to the email, the threat actors have used an email address ([email protected]) with the impersonated organization in the name and set the name to match (HM Revenue & Customs). That, combined with the subject line, is a great way to attract the user’s interest (“Helping you during this covid from government”). Whilst this sentence is not using the greatest grammar, who wouldn’t want government assistance during these difficult times?
Figure 2: Email Body
When first viewing the email, the user is presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose work has been affected by the virus. The email includes a link to check their eligibility. With the government publicly and repeatedly mentioning such sums, the email is believable to inattentive users. The attacker also mentions the “Open Government License v3.0,” a legitimate copyright license used by the Government and Crown Services, to provide additional credibility.
Figure 3: Phishing Page
Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website. This may alleviate concerns a user may have and provide a false sense of security, as the page is extremely similar to the HMRC account sign-in page. The biggest red flag: the URL, just-bee.nl, is not relevant.
Figure 4: Phishing Page
Figure 5: Phishing Page
Here the user is asked to enter some very personal and sensitive data. Another sign that this is a scam: the volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account. The data requested here screams “identity theft/impersonation.”
From there, the user is directed to a page that seems to be loading, to help provide the impression that the data is being processed and an eligibility check performed.
Figure 6: Processing Page
How Cofense Can Help
Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.