A Very Convincing Tax-Rebate Phishing Campaign Is Targeting UK Users

The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.

Fig 1. Email Body

The email body is simple with minimal formatting. It sets out the premise that the victim is owed money for overpaying tax and requires the user to sign up for a Government Gateway ID to claim the tax refund. The email body contains a single hyperlink, “hxxp://rev[.]hu/ta/”, which redirects the user to the main phishing page at “hxxp://notice[.]hmrc[.]tax[.]gov[.]uk[.]9679054009[.]tax[.]revenue[.]ibjobtraining[.]in.”

At first glance this URL looks pretty convincing, as the eye is automatically drawn to the first portion of the address “hmrc.tax.gov.uk” and ignores the rest. However, closer examination reveals that the top-level domain for this page is in fact ibjobtraining[.]in, a malicious domain known by the Sorbs Blacklist to be used for phishing scams.

Fig 2. Email Header

The email headers show that the threat actor has deployed the typical email spoofing tricks. First, we see that the email originates from “gb38120m1272x-85875[@]netrevenueclients[.]co[.]uk.,” which certainly does not belong to HMRC. We can also see that the sender appears to be the HMRC in the FROM field.

Fig 3. Phishing Home Page

The victim is taken to a very convincing credential phishing page, styled to appear as the HMRC portal. Here, the victim is told what information is required to sign up for a Government Gateway ID and how long the process is likely to take.

Fig 4. Personal Details Page 1

The first sign-up page requires the user to enter their full name, date of birth, full UK postal address, phone number, and their mother’s maiden name.

Fig 5. Credit Card Details

The second phishing page the victim is redirected to harvests credit card information and bank account details. Armed with this information, an attacker would be able to commit credit card fraud and identity theft and possibly compromise the victim’s bank account by setting up direct debits to fraudulently pay for services and goods.

Fig 6.  Success Page

Once all details have been submitted, the victim is redirected to a confirmation page which informs the user that the tax refund has been successful and that it will be processed within 5 – 10 days. The victim is also presented with a fake Government Gateway ID. This buys the attacker a minimum of 5 days of free unfettered access to the compromised information before the victim is likely to check in with HMRC to chase up the refund.

Conclusion: Phishing attacks targeting UK users are on the rise, as previously covered by Cofense, and the threat actors appear to be getting more sophisticated with each iteration, at least in terms of producing convincing clones of legitimate institutions. Among larger government organisations like HMRC, official communications are usually sent out by mail on headed paper; these institutions will not communicate financial information by email or disclose information regarding figures and amounts. If you’re ever in doubt of the legitimacy of such a communication, you should contact customer services by telephone. Contact details can be found on the institution’s official web page.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

URLS:

hxxp://rev[.]hu/ta/

hxxp://notice[.]hmrc[.]tax[.]gov[.]uk[.]9679054009[.]tax[.]revenue[.]ibjobtraining[.]in/hm/personalInfo[.]php?

Domains:

rev[.]hu

ibjobtraining[.]in

IPs:

87[.]229[.]104[.]110

108[.]61[.]8[.]58

Who’s Got Access? “Value at Risk” Anti-Phishing
This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

Leave a Reply