In the last few days, Nettitude’s threat intelligence platform has picked up a mass phishing campaign – involving the distribution over nearly two million individual emails – targeting HMRC customers.
The attackers attempt to obtain personal details by directing the user to click a link in the e-mail, which then redirects them to a compromised web site, masquerading as a legitimate HMRC page.
In most of the e-mails we have seen, the subject is “Thu, 28 Jan 2016 ::Tax.Return.No 73563523”
The victim is directed to follow a link, note that the attackers have spelled “annual” incorrectly in the e-mail:
 

The link directs the victim to a spoofed HMRC web page.  The following links have been censored for reader safety, however the domains are correct:
hxxp://markwcasemanagement.com/…./index.php
hxxp://marthebrilman.com/…./index.php
hxxp://wikimommafamilytofamily.com/…./index.php
hxxp://globalgateusa.com/…./index.php
hxxp://loriatwood.com/…./index.php
hxxp://wernersgroup.com/…./index.php
hxxp://masoninstallations.com/…./index.php
hxxp://helminadia.com/…./index.php
hxxp://manisatemizlik.com/…./index.php
hxxp://masoninstallations.com/…./index.php
hxxp://manability.com/…./index.php
hxxp://marisahudlin.com/…./index.php
hxxp://globalgateusa.com/…./index.php
hxxp://malwhitelaw.com/…./index.php
hxxp://mervsmulch.com/…./index.php
hxxp://manzanaloca.com/…./index.php
hxxp://lorritrogdon.com/…./index.php
These generally appear to be legitimate web sites which have been compromised by the attackers in order to host the phishing scam.
Visiting one of the links presents a genuine looking, but spoofed HMRC page, which is asking for personal details including telephone banking pin number:
spoofed-HMRC-page
In all cases so far, mail is being sent from a single IP address in the USA
Internet_Service_Provider_Cincinnati-Bell
The narrows down the attacker’s IP to their Internet Service Provider “Cincinnati Bell”.
Since this is part of an IP block allocation to Cincinnati Bell, it is not possible to identify the attacker further.
Conclusion
With the HMRC self-assessment tax return deadline, 31st of January 2016, just around the corner, it’s clear that this is a highly targeted attack, and that the fraudsters are becoming more and more cunning in their tactics.
The following can help in spotting scams like this one:

  • Often the e-mail won’t be addressed to you personally. The scam is mailed out en-masse to thousands, or even millions, of recipients.
  • Banks, and government departments will never send e-mails asking for your account details and pin number.
  • Look out for spelling mistakes, grammatical errors or incorrect plurals in the e-mail. For mail that purports to be from a UK company or government department, look out for the American spelling of a word.  Errors such as these can immediately indicate a scam.

In order to avoid becoming a victim of an attack like this, you can take several steps to protect yourself:

  • Avoid clicking links in e-mails. If you need to contact HMRC for example, you can open a web browser and go to the official web site yourself, or call them on the HMRC phone number.
  • Never provide bank account pin numbers or passwords to web sites, or over the phone.
  • If you’re unsure about an e-mail, do not reply to the mail. Contact the bank or government department directly.

Nettitude’s threat intelligence platform gathers the latest threat data from its own global honeypot network, along with commercial and open source feeds. Nettitude assesses context, verification and quality of threat data in order to help inform its customer’s security tactics.
To contact Nettitude’s editor, please email media@nettitude.com