Phishing campaigns abusing the name of the UK’s HMRC (tax office) are familiar to us here at Forcepoint X-Labs. What should a user be looking for when they encounter such an email? Or indeed, what should an automated or machine learning system look for in the same email? As you build user awareness programs across your employee base it’s always useful to have recent examples, so we dissect an example below.
You Have A Tax Refund
During a research project for detecting phishing attacks using machine learning (ML) we came across something weird. It all started with an email that claimed “You Have A Tax Refund.”
Obviously, it felt like “phishing” right from the beginning so we started to investigate.
Here's what the original email looked like:
Numerous things that made us suspicious about the email:
- The sender (HMRC) is from the domain hm.com (H&M). H&M does not give tax refunds or grants, they are a clothing business.
- Subject versus email body: A tax refund and getting a grant – is that really the same? The subject of the email does not reflect the content of the email body.
- Links: Let’s have a look at the “Check Eligibility” hyperlink. This points us to “hxxps://neebank.com/wp-content/upgrade/xml.php”, which does not point to the HMRC or the official UK government site. If we check this URL in a safe environment, we get redirected to a banking site called NEEbank. There are some suspicious elements as well.
- The title of the main page is “Page not found | NEEbank,” however it seems to have a lot of content and functional links.
- The Login and Register buttons when clicked take us to an unsecure (HTTP) site.
- We haven’t heard about NEEbank until now.
- There are two additional icons that resemble Facebook and Twitter logos, however, they both point to “hxxps://www.bankofireland.com” – not to any social media site.
A fake bank or not
We’ve started to wonder, if someone deployed a legitimate looking banking site for this grant/tax-refund scheme – one that we were sure was phishing - what was the real pitch? Cybercriminals are always after data, credentials or PII. Could it be that you need to register with the bank to obtain the grant, and while at it you also have to prove your ID or some other personal details?
More from the same sender
The “from” field of the email was “email@example.com,” it was time to have a look at the history: what else might have come from this same “identity” which we had blocked already. This led us to other domains that similar emails pointed to, but upon further checking we didn’t see anything phishing related. Expanding the search even more to find all senders and all subjects in this category finally resulted in success. The data we found indicated that initially this scam started with emails being spammed out as “You have a grant for 3650GBP.” The sender was “firstname.lastname@example.org “ and this time an attachment “GrantForm.html “ was also present.
The “GrantForm.html” looks like this:
In case you end up filling in the requested inputs and hit the continue button, your data would be on its way to “hxxps://equistrain.souqwaqif.qa/.well-known/send.php” and out of your control. This site is currently located in the United States city of Chicago; again, not something the UK government to use. The data above would include a wide set of your PIIs, such as name, national insurance number, unique taxpayer reference, passport number, employer, date of birth, address and so on.
More of the same attachment
When we started looking for other emails having a “GrantForm.html” present, we found tons of them sent with varying subject-lines and senders. Investigation of these emails broadened the search once again, and we ended up running into two similar sites that also hosted this particular phishing kit. When we actually examined them, we couldn’t find any phishing related activities. So, what is going on here?
The answers come from a historic scan from urlscan.io:
Here we found that the URL in question did host the phishing kit similar to the embedded HTML (GrantForm.html) we saw in most of the emails. By exploring urlscan.io data deeper, we can see that the “xml.php” would post the stolen data to the “Finish.php” on the same server.
Like for any successful attack, you need to constantly keep evolving to be able to stay under the radar. Just recently the cybercriminals behind this campaign incorporated some new changes into their “GrantForm.html” and email properties.
The modified “GrantForm.html” uses a new domain to send the collected data towards, “hxxps://bibliotecabayer.org.ar/wp-admin/js/send.php”. A safe visit of the site results in a well-expected redirection, this time to “hxxps://logintype166.com/excelz/excelz/index.php” which is an active phishing site.
Once victims insert their personal data and hit “Continue” it will take them to this page:
A few seconds later they will finally arrive at the official UK government DVLA page like nothing special had ever happened.
Nothing new – it is WordPress
Some of the redirections seem to have been removed since, but there is one common thing, all sites that had the phishing kit redirect were using WordPress. We therefore assume these sites been hacked using one of the known - or 0day -vulnerabilities in WordPress.
WordPress is a well-known platform that host a huge variety of applications, but it’s also a common target of cybercriminals due to its popularity and security issues. We highly advise that companies using WordPress need to constantly update their platform to prevent exploitation and running into problems we described earlier in this blog.
Phishing attempts similar to the one we described above are nothing new. In these challenging times people might make decisions in a faster or different way they normally used to. Cybercriminals are especially counting on this behaviour when they spam out emails with financially promising content. Whenever you receive such, make sure you always take the time to validate the sender and the actual content prior to committing to any action.
Forcepoint customers are protected against this threat at the following stages of attack:
Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
- “You Have A Tax Refund”
- “Helping you during this covid from government”
- “You have a grant for 3650GBP”
- “You have a grant for 3,650GBP”
- “You have a grant”
- “NHSBT WARNING – possible suspect email: Helping you during this covid from government”
- “Your account”