IRS related scams are not all the same

Barracuda Central is detecting a variety of tax-related phishing emails.  These emails are designed to look like official communications from the IRS or similar tax revenue entities outside of the US.  Most of the emails we have detected include links in the body of the message.  These links are designed to phish for the victim’s info or to install malicious content on the victim’s computer.  All of these emails have the same agenda of tricking people into clicking on the malicious links. (Click here to see a larger version of this image)     Some of these emails claim to be automated notification messages sent from the IRS. These emails ask the recipient to update a W2 profile with a “new W2 E-Data Form”. Some of these messages are also claiming that if this is not done within 48 hours, a refund will be delayed or not paid. Other similar IRS phishing emails have an attached HTML form. This form prompts the recipient to input personal information such as: social security number, Date of Birth, home address and Employer info and etc. If this form is submitted, the victim is directed to a different site, and all personal information that was just entered is now stored for a spammer to use.   Another variant has the subject “Pending Tax Refund”. This variant attempts to trick the recipient into clicking on the link that claims there is an outstanding tax refund from an overpayment in a prior year.  These messages are coming from an .UK domain, and are posing as official communications from HM Revenue & customs.  This is the department of the UK Government that is responsible for the collection of taxes. The government already knows about this issue and has created a site to inform people about this scam: http://www.hmrc.gov.uk/gds/payerti/forms-updates/forms-publications/register.htm     The above variant poses as a message from the “Canada Revenue Agency”. The email has a link to a site that asks the victim to transfer money electronically, so that the sender...

read more

Super Bowl Presents Super Opportunity for Spammers

It’s no secret that highly-anticipated events like the Super Bowl generate buzz around everything from commercials to merchandise, allowing opportunistic businesses to capitalize on the millions of eyes viewing from around the globe. However, what many folks fail to recognize is the opportunity events like the Super Bowl also create for scammers to generate disingenuous websites and emails to trap people into paying for items they will never see. This year is shaping up to be no different as proven by Barracuda Labs, which has already detected spam for replica jerseys on sale for the 2016 Super Bowl teams via sites such as pantherssuperbowlshop-dot-com and broncossuperbowlshop-dot-com. Fake Panther Super Bowl site   Fake Broncos Super Bowl site Click here for a larger image of both sites. In this particular instance, spam emails from the above sites claim to have replica jerseys on sale, but the links unfortunately lead to false websites. These false websites then ask people to pay for replica jerseys without a secure payment option, and request credit card information for fraudulent purposes. Ultimately, these sites are scamming people out of money by pretending to sell items that they will never ship and even go so far as to claim the items ordered are “Out Of Stock” after payment was already received. How to tell it’s a scam: Based on what we’ve seen in these scam messages, the domains are targeted attacks focused on fans of the 2016 NFL Super Bowl teams (Carolina Panthers and Denver Broncos). The domains used here were registered on December 15, 2015, which was right around week 15 of 17 for the NFL – two games before the playoffs started. Our research shows that the registration information points to the spam coming from: tian xiang da sha,405#,wan he lu 99hao,Chengdu,China. Both of the sites request buyers to input personal information including, name, address, credit card info etc. However, once they try to access their cart at the time of purchase –it doesn’t allow them to purchase as...

read more