Last visit was: Sat Jul 05, 2014 11:49 am
It is currently Sat Jul 05, 2014 11:49 am

Phish spoofing US Internal Revenue Service


All times are UTC - 5 hours [ DST ]


 [ 20 posts ]  Go to page 1, 2  Next
Author Message
 PostPosted: Wed Sep 09, 2009 7:37 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
Quote:
Taxpayer ID: myname-bunchofnumbersUS
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: myname-bunchofnumbersUS

Internal Revenue Service


The phish domain it links to, hyg12zk.eu, has already been shut down.
But who.is has record of its IP address, 84.126.93.168.
Searching for other domains sharing the same address, I find
Quote:
gshipagc.com A 84.126.93.168
168.93.126.84.in-addr.arpa PTR 84.126.93.168.dyn.user.ono.com
02fgu145501.cn A 84.126.93.168
keule557.cn A 84.126.93.168
sdfsdf23423455jkjg.cn A 84.126.93.168
gshipagc.net A 84.126.93.168


Picking one and checking gshipagc.net, it appears to just be a shipping company (hmmm, sounds familiar). But if you go a step further and see what IP addresses that domain has occupied recently, you get a rather long list:
Quote:
gshipagc.net A 24.42.26.101
gshipagc.net A 24.136.214.23
gshipagc.net A 24.139.153.207
gshipagc.net A 58.8.22.135
gshipagc.net A 58.8.22.237
gshipagc.net A 58.8.25.219
gshipagc.net A 58.8.29.249
gshipagc.net A 58.9.33.71
gshipagc.net A 58.9.35.30
gshipagc.net A 59.91.203.57
gshipagc.net A 59.94.241.181
gshipagc.net A 59.94.247.166
gshipagc.net A 59.94.251.141
gshipagc.net A 59.95.226.244
gshipagc.net A 59.161.145.50
gshipagc.net A 61.90.105.44
gshipagc.net A 61.90.105.185
gshipagc.net A 62.68.98.163
gshipagc.net A 62.68.98.172
gshipagc.net A 62.80.180.11
gshipagc.net A 62.80.180.44
gshipagc.net A 62.248.11.180
gshipagc.net A 62.248.11.216
gshipagc.net A 66.212.155.140
gshipagc.net A 67.164.7.67
gshipagc.net A 67.230.47.228
gshipagc.net A 71.92.202.74
gshipagc.net A 74.3.203.93
gshipagc.net A 76.208.149.68
gshipagc.net A 77.22.125.13
gshipagc.net A 77.78.42.41
gshipagc.net A 77.239.70.110
gshipagc.net A 77.239.71.249
gshipagc.net A 77.253.15.109
gshipagc.net A 77.254.134.179
gshipagc.net A 77.254.193.88
gshipagc.net A 77.254.201.167
gshipagc.net A 78.37.230.200
gshipagc.net A 78.106.120.13
gshipagc.net A 78.106.186.159
gshipagc.net A 78.109.252.199
gshipagc.net A 78.131.46.220
gshipagc.net A 78.166.71.118
gshipagc.net A 78.169.12.54
gshipagc.net A 78.175.218.224
gshipagc.net A 78.177.251.105
gshipagc.net A 78.182.174.158
gshipagc.net A 78.183.228.174
gshipagc.net A 79.109.144.180
gshipagc.net A 79.116.207.32
gshipagc.net A 79.116.208.64
gshipagc.net A 79.116.238.223
gshipagc.net A 79.117.47.190
gshipagc.net A 79.117.50.50
gshipagc.net A 79.119.84.66
gshipagc.net A 79.119.221.125
gshipagc.net A 79.121.5.93
gshipagc.net A 79.163.225.101
gshipagc.net A 79.172.90.140
gshipagc.net A 79.184.33.30
gshipagc.net A 79.184.38.184
gshipagc.net A 79.184.130.17
gshipagc.net A 80.39.45.38
gshipagc.net A 80.52.178.202
gshipagc.net A 80.230.26.66
gshipagc.net A 80.230.31.39
gshipagc.net A 81.182.111.181
gshipagc.net A 81.183.31.21
gshipagc.net A 81.203.251.235
gshipagc.net A 81.213.222.21
gshipagc.net A 81.219.69.194
gshipagc.net A 82.131.226.111
gshipagc.net A 82.131.231.106
gshipagc.net A 82.131.231.242
gshipagc.net A 82.131.238.160
gshipagc.net A 82.131.239.163
gshipagc.net A 82.131.239.201
gshipagc.net A 83.5.57.90
gshipagc.net A 83.5.143.59
gshipagc.net A 83.5.167.82
gshipagc.net A 83.20.12.213
gshipagc.net A 83.20.46.109
gshipagc.net A 83.20.52.101
gshipagc.net A 83.20.55.77
gshipagc.net A 83.20.55.246
gshipagc.net A 83.20.67.87
gshipagc.net A 83.20.68.235
gshipagc.net A 83.20.146.51
gshipagc.net A 83.20.223.17
gshipagc.net A 83.20.248.183
gshipagc.net A 83.20.252.113
gshipagc.net A 83.22.183.174
gshipagc.net A 83.26.72.249
gshipagc.net A 83.27.43.21
gshipagc.net A 83.27.142.225
gshipagc.net A 83.27.167.249
gshipagc.net A 83.28.176.236
gshipagc.net A 83.28.187.39
gshipagc.net A 83.29.117.73
gshipagc.net A 83.29.160.208
gshipagc.net A 83.29.162.172
gshipagc.net A 83.29.173.16
gshipagc.net A 83.30.49.87
gshipagc.net A 83.31.57.196
gshipagc.net A 83.36.152.131
gshipagc.net A 83.40.246.173
gshipagc.net A 83.81.248.102
gshipagc.net A 83.165.190.86
gshipagc.net A 83.185.71.202
gshipagc.net A 83.185.81.119
gshipagc.net A 83.185.92.139
gshipagc.net A 83.219.10.173
gshipagc.net A 83.231.80.48
gshipagc.net A 83.231.81.31
gshipagc.net A 83.231.89.130
gshipagc.net A 84.2.194.238
gshipagc.net A 84.10.117.194
gshipagc.net A 84.10.213.53
gshipagc.net A 84.126.93.22
gshipagc.net A 84.126.93.168
gshipagc.net A 84.224.2.48
gshipagc.net A 84.224.14.60
gshipagc.net A 84.224.25.14
gshipagc.net A 84.224.70.220
gshipagc.net A 85.85.235.241
gshipagc.net A 85.97.31.153
gshipagc.net A 85.97.90.1
gshipagc.net A 85.100.78.40
gshipagc.net A 85.101.196.172
gshipagc.net A 85.101.221.137
gshipagc.net A 85.101.234.165
gshipagc.net A 85.102.82.55
gshipagc.net A 85.102.183.57
gshipagc.net A 85.107.250.163
gshipagc.net A 85.136.96.16
gshipagc.net A 85.136.129.219
gshipagc.net A 85.136.134.51
gshipagc.net A 85.136.135.18
gshipagc.net A 85.202.49.44
gshipagc.net A 87.97.13.72
gshipagc.net A 87.110.3.213
gshipagc.net A 88.9.153.107
gshipagc.net A 88.15.243.103
gshipagc.net A 88.16.213.107
gshipagc.net A 88.16.228.86
gshipagc.net A 88.22.101.19
gshipagc.net A 88.102.159.73
gshipagc.net A 88.109.26.47
gshipagc.net A 88.109.252.100
gshipagc.net A 88.110.15.224
gshipagc.net A 88.110.17.5
gshipagc.net A 88.156.39.27
gshipagc.net A 88.224.250.236
gshipagc.net A 88.226.100.135
gshipagc.net A 88.227.91.117
gshipagc.net A 88.229.151.23
gshipagc.net A 88.229.174.49
gshipagc.net A 88.232.227.193
gshipagc.net A 88.233.109.12
gshipagc.net A 88.234.12.172
gshipagc.net A 88.234.12.219
gshipagc.net A 88.234.91.8
gshipagc.net A 88.236.126.128
gshipagc.net A 88.238.243.171
gshipagc.net A 88.242.138.162
gshipagc.net A 88.242.158.138
gshipagc.net A 88.243.2.195
gshipagc.net A 88.243.35.77
gshipagc.net A 88.243.37.124
gshipagc.net A 88.243.96.173
gshipagc.net A 88.243.109.158
gshipagc.net A 88.243.152.69
gshipagc.net A 88.243.214.166
gshipagc.net A 88.243.247.96
gshipagc.net A 88.244.136.205
gshipagc.net A 88.244.137.96
gshipagc.net A 88.244.202.61
gshipagc.net A 88.251.17.45
gshipagc.net A 89.47.81.70
gshipagc.net A 89.132.5.171
gshipagc.net A 89.218.137.234
gshipagc.net A 89.229.198.123
gshipagc.net A 89.230.168.4
gshipagc.net A 90.151.113.165
gshipagc.net A 90.189.216.179
gshipagc.net A 91.39.249.167
gshipagc.net A 91.120.98.231
gshipagc.net A 91.120.123.20
gshipagc.net A 91.123.159.112
gshipagc.net A 91.124.234.82
gshipagc.net A 91.151.32.198
gshipagc.net A 92.8.211.0
gshipagc.net A 92.47.153.86
gshipagc.net A 92.47.153.145
gshipagc.net A 92.255.151.3
gshipagc.net A 93.80.176.137
gshipagc.net A 93.80.193.222
gshipagc.net A 93.100.252.207
gshipagc.net A 93.103.232.126
gshipagc.net A 93.105.219.198


In fact, at any one time, it occupies 5 different IP addresses. It doesn't seem to know what its own TTL ("time to live," = how frequently the records expire) is:
Quote:
;; ANSWER SECTION:
gshipagc.net. 1800 IN A 66.212.155.140
gshipagc.net. 1800 IN A 67.164.7.67
gshipagc.net. 1800 IN A 74.3.203.93
gshipagc.net. 1800 IN A 89.229.198.123
gshipagc.net. 1800 IN A 190.97.142.3

Quote:
;; ANSWER SECTION:
gshipagc.net. 972 IN A 190.97.142.3
gshipagc.net. 972 IN A 66.212.155.140
gshipagc.net. 972 IN A 67.164.7.67
gshipagc.net. 972 IN A 74.3.203.93
gshipagc.net. 972 IN A 89.229.198.123

Quote:
;; ANSWER SECTION:
gshipagc.net. 442 IN A 89.229.198.123
gshipagc.net. 442 IN A 190.97.142.3
gshipagc.net. 442 IN A 66.212.155.140
gshipagc.net. 442 IN A 67.164.7.67
gshipagc.net. 442 IN A 74.3.203.93

The shipping company website has been reported as part of an employment scam:
http://www.scamwarners.com/forum/viewtopic.php?f=10&t=3366&start=0

Oh, and by amazing coincidence, that shipping company has precisely the same number of container vessels and capacity as Mediterranean Shipping Co., SA, (mscgva.ch):
http://marinelink.com/en-US/News/Article/Mediterranean-Shipping-Co-Rate-Increase/329824.aspx


Top
 Profile  
 PostPosted: Thu Sep 10, 2009 9:40 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Whoever is reporting these domains is being extremely efficient. Not one of the 20 or so I've received over the past eight days has ever been live when the message was received.

I know Gar Warner was hot on the trail of this one so I would have to assume he's gotten the ear of whoever is still allowing these domain registrations to take place.

SiL


Top
 Profile  
 PostPosted: Thu Sep 10, 2009 4:07 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
A decent writeup on Dynamoo about this:

http://www.dynamoo.com/blog/2009/09/fak ... sages.html

He actually found one that was still up. :)

SiL


Top
 Profile  
 PostPosted: Thu Sep 10, 2009 6:11 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
spamislame wrote:
A decent writeup on Dynamoo about this:

http://www.dynamoo.com/blog/2009/09/fak ... sages.html

He actually found one that was still up. :)

SiL


That looks like it may be a different scam, with a much more elaborate spam text.


Top
 Profile  
 PostPosted: Thu Sep 10, 2009 7:20 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Ah, Dynamoo, what a great blog, been a while since I read it. :)


Top
 Profile  
 PostPosted: Fri Sep 11, 2009 9:58 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
AlphaCentauri wrote:
That looks like it may be a different scam, with a much more elaborate spam text.


Ohhh d'oh! You are correct.

Gar Warner's blog still stands as the most prolific research of these criminals.

SiL


Top
 Profile  
 PostPosted: Fri Sep 11, 2009 1:07 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
sil wrote:
Quote:
Gar Warner's blog still stands as the most prolific research of these criminals.
That is definitely the case. Speaking of Gar's blog, did you see the newest entry from 9/10?


Top
 Profile  
 PostPosted: Sat Sep 12, 2009 8:07 pm   
Spam Observer
User avatar

Joined: Thu Aug 14, 2008 3:48 pm
Posts: 79
meep wrote:
sil wrote:
Quote:
Gar Warner's blog still stands as the most prolific research of these criminals.
That is definitely the case. Speaking of Gar's blog, did you see the newest entry from 9/10?


Wow - dating from back to the CastleCops days and before. I wonder what the answer is to his question about whether one could trace the path from the phishing webs sites back to Nguyen?


Re: US IRS - I've heard that the group tasked with swatting IRS phish sites is *very aggressive*, and that's often why they come down so fast.


Top
 Profile  
 PostPosted: Sat Sep 12, 2009 10:04 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
Moike wrote:
Re: US IRS - I've heard that the group tasked with swatting IRS phish sites is *very aggressive*, and that's often why they come down so fast.


That's interesting -- I wonder how they go about it. A government agency can't just grab the drop file without a seach warrant the way a private phish investigator for a bank would do, at least not if the server is in the US. Perhaps they come down faster than other phish because they aren't leaving them up long enough to do investigation.


Top
 Profile  
 PostPosted: Mon Aug 02, 2010 6:00 pm   
Spam Muncher
User avatar

Joined: Wed Jan 03, 2007 10:19 am
Posts: 890
Location: North Britain
This one is impressive, it's faking (badly) the HM Revenue & Customs page and gives a choice of SEVEN banks to have your details stolen in connection with, they should remember that a bank in the hand is worth seven in the bush - http://www.squeakecleanblog.com/wp-incl ... portal.htm

Down already, not a surprise. Here's an image - http://www.flickr.com/photos/[email protected]/4854794931/

_________________
Ruffian antics are a wrench in society's gears


Top
 Profile  
 PostPosted: Tue Aug 03, 2010 2:47 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Benzyl wrote:
it's faking (badly) the HM Revenue & Customs page and gives a choice of SEVEN banks to have your details stolen
I liked Benzyl's review on SiteAdvisor http://www.siteadvisor.com/sites/squeakecleanblog.com/postid/?p=5006321#post5006321
Quote:
for the love of god please don't be as stupid as they seem to think you are!
That scam must have an easily obtainable kit. Phishtank reports about two new incidents of that same scam every day, usually involving 12 or 13 banks. A similar South African version typically contains the same four South African banks.

Here are some of the scammers' signatures left on a few of the UK scams

"CempLe
Indonesian Defacer"

"Fouad Mr Killer"

"FOUAd Mr Killer"

"HACKED BY AKINCILAR"

"lol...ebuka is here (CASHMONIBOX)"

(I hope that I didn't just set off any alarm bells.)

_________________
Home is where the heart is / No matter how the heart lives.


Top
 Profile  
 PostPosted: Fri Feb 18, 2011 2:04 pm   
Spam Muncher
User avatar

Joined: Wed Jan 03, 2007 10:19 am
Posts: 890
Location: North Britain
The HMRC PHISH has been getting quite a bit of airtime the last week or so, at the moment the accumulator is up to THIRTEEN banks to choose from, presumably because they're getting tired of spamming wrong 97% of the time generating easy and automatic disregards from prospective victims - http://www.flickr.com/photos/[email protected] ... otostream/

_________________
Ruffian antics are a wrench in society's gears


Top
 Profile  
 PostPosted: Fri Feb 18, 2011 9:36 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Benzyl wrote:
The HMRC PHISH [has] up to THIRTEEN banks to choose from ....
Soon after Benzyl's message was posted, the count jumped to fourteen.
http://screenshots.phishtank.com/phish_screenshots/1/1/1124411.gif
The two similar Santander logos shown in the screenshot are linked to different scam web pages, one for (the former) Abby bank and the other for Alliance & Leicester bank.

When I use to report this sort of HMRC phishing scam to phishtank.com, I saw up to seventeen banks targeted at the same time, sometimes including PayPal among the UK banks. A newly emerging version scammers' HMRC packages has a more attractive layout of the the bank logos.

_________________
Home is where the heart is / No matter how the heart lives.


Top
 Profile  
 PostPosted: Mon Feb 21, 2011 12:57 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Benzyl wrote:
The HMRC PHISH has been getting quite a bit of airtime the last week or so,
I don't remember ever seeing so many instances of that particular HMRC phishing scam reported to phishtank.com (and subsequently disabled) in a single day as is happening on Sunday, 20-FEB-2011.

_________________
Home is where the heart is / No matter how the heart lives.


Top
 Profile  
 PostPosted: Tue Mar 22, 2011 12:31 pm   
Spam Muncher
User avatar

Joined: Wed Jan 03, 2007 10:19 am
Posts: 890
Location: North Britain
I'm still getting the HMRC multiple choice emails from time to time but they seem to get shut down much faster than almost anything else, if I'm not on them within half an hour there's nothing to see. The last one, amusingly enough, was hosted at houstonmuslimsonline.com although the hoster spotted the beating I was giving it and killed their PHP privileges 'Your PHP settings have been disabled by an H-Sphere administrator' . Given that this was spammed as 'Tax Rabate of: Ј 144.79' they're only a few steps away from 'giv mi yor muny!!!' with a PO box they paid for using their moms credit card.

_________________
Ruffian antics are a wrench in society's gears


Top
 Profile  
 [ 20 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008