Phish spoofing US Internal Revenue Service

Phishing operations, including perpetrators, how to report them and get them shut down.

Phish spoofing US Internal Revenue Service

Postby AlphaCentauri » Wed Sep 09, 2009 7:37 pm

Taxpayer ID: myname-bunchofnumbersUS
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: myname-bunchofnumbersUS

Internal Revenue Service


The phish domain it links to, hyg12zk.eu, has already been shut down.
But who.is has record of its IP address, 84.126.93.168.
Searching for other domains sharing the same address, I find
gshipagc.com A 84.126.93.168
168.93.126.84.in-addr.arpa PTR 84.126.93.168.dyn.user.ono.com
02fgu145501.cn A 84.126.93.168
keule557.cn A 84.126.93.168
sdfsdf23423455jkjg.cn A 84.126.93.168
gshipagc.net A 84.126.93.168


Picking one and checking gshipagc.net, it appears to just be a shipping company (hmmm, sounds familiar). But if you go a step further and see what IP addresses that domain has occupied recently, you get a rather long list:
gshipagc.net A 24.42.26.101
gshipagc.net A 24.136.214.23
gshipagc.net A 24.139.153.207
gshipagc.net A 58.8.22.135
gshipagc.net A 58.8.22.237
gshipagc.net A 58.8.25.219
gshipagc.net A 58.8.29.249
gshipagc.net A 58.9.33.71
gshipagc.net A 58.9.35.30
gshipagc.net A 59.91.203.57
gshipagc.net A 59.94.241.181
gshipagc.net A 59.94.247.166
gshipagc.net A 59.94.251.141
gshipagc.net A 59.95.226.244
gshipagc.net A 59.161.145.50
gshipagc.net A 61.90.105.44
gshipagc.net A 61.90.105.185
gshipagc.net A 62.68.98.163
gshipagc.net A 62.68.98.172
gshipagc.net A 62.80.180.11
gshipagc.net A 62.80.180.44
gshipagc.net A 62.248.11.180
gshipagc.net A 62.248.11.216
gshipagc.net A 66.212.155.140
gshipagc.net A 67.164.7.67
gshipagc.net A 67.230.47.228
gshipagc.net A 71.92.202.74
gshipagc.net A 74.3.203.93
gshipagc.net A 76.208.149.68
gshipagc.net A 77.22.125.13
gshipagc.net A 77.78.42.41
gshipagc.net A 77.239.70.110
gshipagc.net A 77.239.71.249
gshipagc.net A 77.253.15.109
gshipagc.net A 77.254.134.179
gshipagc.net A 77.254.193.88
gshipagc.net A 77.254.201.167
gshipagc.net A 78.37.230.200
gshipagc.net A 78.106.120.13
gshipagc.net A 78.106.186.159
gshipagc.net A 78.109.252.199
gshipagc.net A 78.131.46.220
gshipagc.net A 78.166.71.118
gshipagc.net A 78.169.12.54
gshipagc.net A 78.175.218.224
gshipagc.net A 78.177.251.105
gshipagc.net A 78.182.174.158
gshipagc.net A 78.183.228.174
gshipagc.net A 79.109.144.180
gshipagc.net A 79.116.207.32
gshipagc.net A 79.116.208.64
gshipagc.net A 79.116.238.223
gshipagc.net A 79.117.47.190
gshipagc.net A 79.117.50.50
gshipagc.net A 79.119.84.66
gshipagc.net A 79.119.221.125
gshipagc.net A 79.121.5.93
gshipagc.net A 79.163.225.101
gshipagc.net A 79.172.90.140
gshipagc.net A 79.184.33.30
gshipagc.net A 79.184.38.184
gshipagc.net A 79.184.130.17
gshipagc.net A 80.39.45.38
gshipagc.net A 80.52.178.202
gshipagc.net A 80.230.26.66
gshipagc.net A 80.230.31.39
gshipagc.net A 81.182.111.181
gshipagc.net A 81.183.31.21
gshipagc.net A 81.203.251.235
gshipagc.net A 81.213.222.21
gshipagc.net A 81.219.69.194
gshipagc.net A 82.131.226.111
gshipagc.net A 82.131.231.106
gshipagc.net A 82.131.231.242
gshipagc.net A 82.131.238.160
gshipagc.net A 82.131.239.163
gshipagc.net A 82.131.239.201
gshipagc.net A 83.5.57.90
gshipagc.net A 83.5.143.59
gshipagc.net A 83.5.167.82
gshipagc.net A 83.20.12.213
gshipagc.net A 83.20.46.109
gshipagc.net A 83.20.52.101
gshipagc.net A 83.20.55.77
gshipagc.net A 83.20.55.246
gshipagc.net A 83.20.67.87
gshipagc.net A 83.20.68.235
gshipagc.net A 83.20.146.51
gshipagc.net A 83.20.223.17
gshipagc.net A 83.20.248.183
gshipagc.net A 83.20.252.113
gshipagc.net A 83.22.183.174
gshipagc.net A 83.26.72.249
gshipagc.net A 83.27.43.21
gshipagc.net A 83.27.142.225
gshipagc.net A 83.27.167.249
gshipagc.net A 83.28.176.236
gshipagc.net A 83.28.187.39
gshipagc.net A 83.29.117.73
gshipagc.net A 83.29.160.208
gshipagc.net A 83.29.162.172
gshipagc.net A 83.29.173.16
gshipagc.net A 83.30.49.87
gshipagc.net A 83.31.57.196
gshipagc.net A 83.36.152.131
gshipagc.net A 83.40.246.173
gshipagc.net A 83.81.248.102
gshipagc.net A 83.165.190.86
gshipagc.net A 83.185.71.202
gshipagc.net A 83.185.81.119
gshipagc.net A 83.185.92.139
gshipagc.net A 83.219.10.173
gshipagc.net A 83.231.80.48
gshipagc.net A 83.231.81.31
gshipagc.net A 83.231.89.130
gshipagc.net A 84.2.194.238
gshipagc.net A 84.10.117.194
gshipagc.net A 84.10.213.53
gshipagc.net A 84.126.93.22
gshipagc.net A 84.126.93.168
gshipagc.net A 84.224.2.48
gshipagc.net A 84.224.14.60
gshipagc.net A 84.224.25.14
gshipagc.net A 84.224.70.220
gshipagc.net A 85.85.235.241
gshipagc.net A 85.97.31.153
gshipagc.net A 85.97.90.1
gshipagc.net A 85.100.78.40
gshipagc.net A 85.101.196.172
gshipagc.net A 85.101.221.137
gshipagc.net A 85.101.234.165
gshipagc.net A 85.102.82.55
gshipagc.net A 85.102.183.57
gshipagc.net A 85.107.250.163
gshipagc.net A 85.136.96.16
gshipagc.net A 85.136.129.219
gshipagc.net A 85.136.134.51
gshipagc.net A 85.136.135.18
gshipagc.net A 85.202.49.44
gshipagc.net A 87.97.13.72
gshipagc.net A 87.110.3.213
gshipagc.net A 88.9.153.107
gshipagc.net A 88.15.243.103
gshipagc.net A 88.16.213.107
gshipagc.net A 88.16.228.86
gshipagc.net A 88.22.101.19
gshipagc.net A 88.102.159.73
gshipagc.net A 88.109.26.47
gshipagc.net A 88.109.252.100
gshipagc.net A 88.110.15.224
gshipagc.net A 88.110.17.5
gshipagc.net A 88.156.39.27
gshipagc.net A 88.224.250.236
gshipagc.net A 88.226.100.135
gshipagc.net A 88.227.91.117
gshipagc.net A 88.229.151.23
gshipagc.net A 88.229.174.49
gshipagc.net A 88.232.227.193
gshipagc.net A 88.233.109.12
gshipagc.net A 88.234.12.172
gshipagc.net A 88.234.12.219
gshipagc.net A 88.234.91.8
gshipagc.net A 88.236.126.128
gshipagc.net A 88.238.243.171
gshipagc.net A 88.242.138.162
gshipagc.net A 88.242.158.138
gshipagc.net A 88.243.2.195
gshipagc.net A 88.243.35.77
gshipagc.net A 88.243.37.124
gshipagc.net A 88.243.96.173
gshipagc.net A 88.243.109.158
gshipagc.net A 88.243.152.69
gshipagc.net A 88.243.214.166
gshipagc.net A 88.243.247.96
gshipagc.net A 88.244.136.205
gshipagc.net A 88.244.137.96
gshipagc.net A 88.244.202.61
gshipagc.net A 88.251.17.45
gshipagc.net A 89.47.81.70
gshipagc.net A 89.132.5.171
gshipagc.net A 89.218.137.234
gshipagc.net A 89.229.198.123
gshipagc.net A 89.230.168.4
gshipagc.net A 90.151.113.165
gshipagc.net A 90.189.216.179
gshipagc.net A 91.39.249.167
gshipagc.net A 91.120.98.231
gshipagc.net A 91.120.123.20
gshipagc.net A 91.123.159.112
gshipagc.net A 91.124.234.82
gshipagc.net A 91.151.32.198
gshipagc.net A 92.8.211.0
gshipagc.net A 92.47.153.86
gshipagc.net A 92.47.153.145
gshipagc.net A 92.255.151.3
gshipagc.net A 93.80.176.137
gshipagc.net A 93.80.193.222
gshipagc.net A 93.100.252.207
gshipagc.net A 93.103.232.126
gshipagc.net A 93.105.219.198


In fact, at any one time, it occupies 5 different IP addresses. It doesn't seem to know what its own TTL ("time to live," = how frequently the records expire) is:
;; ANSWER SECTION:
gshipagc.net. 1800 IN A 66.212.155.140
gshipagc.net. 1800 IN A 67.164.7.67
gshipagc.net. 1800 IN A 74.3.203.93
gshipagc.net. 1800 IN A 89.229.198.123
gshipagc.net. 1800 IN A 190.97.142.3

;; ANSWER SECTION:
gshipagc.net. 972 IN A 190.97.142.3
gshipagc.net. 972 IN A 66.212.155.140
gshipagc.net. 972 IN A 67.164.7.67
gshipagc.net. 972 IN A 74.3.203.93
gshipagc.net. 972 IN A 89.229.198.123

;; ANSWER SECTION:
gshipagc.net. 442 IN A 89.229.198.123
gshipagc.net. 442 IN A 190.97.142.3
gshipagc.net. 442 IN A 66.212.155.140
gshipagc.net. 442 IN A 67.164.7.67
gshipagc.net. 442 IN A 74.3.203.93

The shipping company website has been reported as part of an employment scam:
http://www.scamwarners.com/forum/viewtopic.php?f=10&t=3366&start=0

Oh, and by amazing coincidence, that shipping company has precisely the same number of container vessels and capacity as Mediterranean Shipping Co., SA, (mscgva.ch):
http://marinelink.com/en-US/News/Article/Mediterranean-Shipping-Co-Rate-Increase/329824.aspx
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Phish spoofing US Internal Revenue Service

Postby spamislame » Thu Sep 10, 2009 9:40 am

Whoever is reporting these domains is being extremely efficient. Not one of the 20 or so I've received over the past eight days has ever been live when the message was received.

I know Gar Warner was hot on the trail of this one so I would have to assume he's gotten the ear of whoever is still allowing these domain registrations to take place.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Phish spoofing US Internal Revenue Service

Postby spamislame » Thu Sep 10, 2009 4:07 pm

A decent writeup on Dynamoo about this:

http://www.dynamoo.com/blog/2009/09/fak ... sages.html

He actually found one that was still up. :)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Phish spoofing US Internal Revenue Service

Postby AlphaCentauri » Thu Sep 10, 2009 6:11 pm

spamislame wrote:A decent writeup on Dynamoo about this:

http://www.dynamoo.com/blog/2009/09/fak ... sages.html

He actually found one that was still up. :)

SiL


That looks like it may be a different scam, with a much more elaborate spam text.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Phish spoofing US Internal Revenue Service

Postby meep » Thu Sep 10, 2009 7:20 pm

Ah, Dynamoo, what a great blog, been a while since I read it. :)
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Phish spoofing US Internal Revenue Service

Postby spamislame » Fri Sep 11, 2009 9:58 am

AlphaCentauri wrote:That looks like it may be a different scam, with a much more elaborate spam text.


Ohhh d'oh! You are correct.

Gar Warner's blog still stands as the most prolific research of these criminals.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Phish spoofing US Internal Revenue Service

Postby meep » Fri Sep 11, 2009 1:07 pm

sil wrote:
Gar Warner's blog still stands as the most prolific research of these criminals.
That is definitely the case. Speaking of Gar's blog, did you see the newest entry from 9/10?
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Phish spoofing US Internal Revenue Service

Postby Moike » Sat Sep 12, 2009 8:07 pm

meep wrote:sil wrote:
Gar Warner's blog still stands as the most prolific research of these criminals.
That is definitely the case. Speaking of Gar's blog, did you see the newest entry from 9/10?


Wow - dating from back to the CastleCops days and before. I wonder what the answer is to his question about whether one could trace the path from the phishing webs sites back to Nguyen?


Re: US IRS - I've heard that the group tasked with swatting IRS phish sites is *very aggressive*, and that's often why they come down so fast.
Moike
Spam Observer
 
Posts: 79
Joined: Thu Aug 14, 2008 3:48 pm

Re: Phish spoofing US Internal Revenue Service

Postby AlphaCentauri » Sat Sep 12, 2009 10:04 pm

Moike wrote: Re: US IRS - I've heard that the group tasked with swatting IRS phish sites is *very aggressive*, and that's often why they come down so fast.


That's interesting -- I wonder how they go about it. A government agency can't just grab the drop file without a seach warrant the way a private phish investigator for a bank would do, at least not if the server is in the US. Perhaps they come down faster than other phish because they aren't leaving them up long enough to do investigation.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Phish spoofing US Internal Revenue Service

Postby Benzyl » Mon Aug 02, 2010 6:00 pm

This one is impressive, it's faking (badly) the HM Revenue & Customs page and gives a choice of SEVEN banks to have your details stolen in connection with, they should remember that a bank in the hand is worth seven in the bush - http://www.squeakecleanblog.com/wp-incl ... portal.htm

Down already, not a surprise. Here's an image - http://www.flickr.com/photos/97717414@N00/4854794931/
Ruffian antics are a wrench in society's gears
User avatar
Benzyl
Spam Muncher
 
Posts: 889
Joined: Wed Jan 03, 2007 10:19 am
Location: North Britain

Re: Phish spoofing US Internal Revenue Service

Postby NotBuyingIt » Tue Aug 03, 2010 2:47 am

Benzyl wrote:it's faking (badly) the HM Revenue & Customs page and gives a choice of SEVEN banks to have your details stolen
I liked Benzyl's review on SiteAdvisor http://www.siteadvisor.com/sites/squeakecleanblog.com/postid/?p=5006321#post5006321
for the love of god please don't be as stupid as they seem to think you are!
That scam must have an easily obtainable kit. Phishtank reports about two new incidents of that same scam every day, usually involving 12 or 13 banks. A similar South African version typically contains the same four South African banks.

Here are some of the scammers' signatures left on a few of the UK scams

"CempLe
Indonesian Defacer"

"Fouad Mr Killer"

"FOUAd Mr Killer"

"HACKED BY AKINCILAR"

"lol...ebuka is here (CASHMONIBOX)"

(I hope that I didn't just set off any alarm bells.)
Home is where the heart is / No matter how the heart lives.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: Phish spoofing US Internal Revenue Service

Postby Benzyl » Fri Feb 18, 2011 2:04 pm

The HMRC PHISH has been getting quite a bit of airtime the last week or so, at the moment the accumulator is up to THIRTEEN banks to choose from, presumably because they're getting tired of spamming wrong 97% of the time generating easy and automatic disregards from prospective victims - http://www.flickr.com/photos/97717414@N ... otostream/
Ruffian antics are a wrench in society's gears
User avatar
Benzyl
Spam Muncher
 
Posts: 889
Joined: Wed Jan 03, 2007 10:19 am
Location: North Britain

Re: Phish spoofing US Internal Revenue Service

Postby NotBuyingIt » Fri Feb 18, 2011 9:36 pm

Benzyl wrote:The HMRC PHISH [has] up to THIRTEEN banks to choose from ....
Soon after Benzyl's message was posted, the count jumped to fourteen.
http://screenshots.phishtank.com/phish_screenshots/1/1/1124411.gif
The two similar Santander logos shown in the screenshot are linked to different scam web pages, one for (the former) Abby bank and the other for Alliance & Leicester bank.

When I use to report this sort of HMRC phishing scam to phishtank.com, I saw up to seventeen banks targeted at the same time, sometimes including PayPal among the UK banks. A newly emerging version scammers' HMRC packages has a more attractive layout of the the bank logos.
Home is where the heart is / No matter how the heart lives.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: Phish spoofing US Internal Revenue Service

Postby NotBuyingIt » Mon Feb 21, 2011 12:57 am

Benzyl wrote:The HMRC PHISH has been getting quite a bit of airtime the last week or so,
I don't remember ever seeing so many instances of that particular HMRC phishing scam reported to phishtank.com (and subsequently disabled) in a single day as is happening on Sunday, 20-FEB-2011.
Home is where the heart is / No matter how the heart lives.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: Phish spoofing US Internal Revenue Service

Postby Benzyl » Tue Mar 22, 2011 12:31 pm

I'm still getting the HMRC multiple choice emails from time to time but they seem to get shut down much faster than almost anything else, if I'm not on them within half an hour there's nothing to see. The last one, amusingly enough, was hosted at houstonmuslimsonline.com although the hoster spotted the beating I was giving it and killed their PHP privileges 'Your PHP settings have been disabled by an H-Sphere administrator' . Given that this was spammed as 'Tax Rabate of: Ј 144.79' they're only a few steps away from 'giv mi yor muny!!!' with a PO box they paid for using their moms credit card.
Ruffian antics are a wrench in society's gears
User avatar
Benzyl
Spam Muncher
 
Posts: 889
Joined: Wed Jan 03, 2007 10:19 am
Location: North Britain

Next

Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron