Share:

By Jake Longden, Cofense Phishing Defense Center

Taxes and rebates have long been some of a phisher’s favorite targets. Now the coronavirus has provided a fresh new way to exploit this topic: the government grants designed to help small businesses and those out of work due to the pandemic.

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign in the U.K. that aims to harvest HMRC (Her Majesties Revenue and Customs) credentials and sensitive personal information by preying on employees who are expecting COVID relief grants.

With multiple world governments providing such grants, this is an easily modifiable tactic—simply modify the email to spoof the target country’s tax service.

Figure 1: Email Header

To add authenticity to the email, the threat actors have used an email address (hmrc@hotmail.com) with the impersonated organization in the name and set the name to match (HM Revenue & Customs). That, combined with the subject line, is a great way to attract the user’s interest (“Helping you during this covid from government”). Whilst this sentence is not using the greatest grammar, who wouldn’t want government assistance during these difficult times?

Figure 2: Email Body

When first viewing the email, the user is presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose work has been affected by the virus. The email includes a link to check their eligibility. With the government publicly and repeatedly mentioning such sums,  the email is believable to inattentive users. The attacker also mentions the “Open Government License v3.0,” a legitimate copyright license used by the Government and Crown Services, to provide additional credibility.

Figure 3: Phishing Page

Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website. This may alleviate concerns a user may have and provide a false sense of security, as the page is extremely similar to the HMRC account sign-in page. The biggest red flag: the URL, just-bee.nl, is not relevant.

Figure 4: Phishing Page

Figure 5: Phishing Page

Here the user is asked to enter some very personal and sensitive data. Another sign that this is a scam: the volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account. The data requested here screams “identity theft/impersonation.”

From there, the user is directed to a page that seems to be loading, to help provide the impression that the data is being processed and an eligibility check performed.

Figure 6: Processing Page

 

Network IOC IP
hXXps://www[.]lagesports[.]com/[.]tmb/xml[.]php 69[.]10[.]32[.]186
hXXps://rtoutletpremium[.]com[.]br/[.]well-known/pki-validation/UTR/index[.]php 162[.]241[.]182[.]5

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.