This application requires Javascript for optimal performance.

The Anatomy of an Inland Revenue Phishing Expedition

Research and Analysis: Carl Windsor

Index:

1. Introduction

On Jan. 7, 2010, Fortinet was notified by a customer of a phishing e-mail being sent to UK e-mail addresses. Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication [1]. The Inland Revenue provides guidance to protect against such fraud via their web site [2].

This particular attempt purported to be from the Inland Revenue, a common method of gaining information at this time of year as there are many adverts running on television reminding people that the final date for online tax submissions was January 31. The basis of the email was that the user was due a tax rebate of 865.24 and that the recipient should complete the attached HTML form with their name, address, credit card details etc. The refund was also time limited with the instruction "Your verification form will only be valid only for 24 hours".

There is so much wrong with this that it should be obvious that this is a hoax e.g.

  • The Inland Revenue does not proactively give away money. The majority of people in the UK pay tax as they earn. Refunds are usually only given following an overpayment being discovered and a claim being made. and usually this is a small minority of tax payers. Given the random nature of the e-mail it must be assumed that the majority of the recipients had not made a claim and were not expecting this refund.
  • Refunds are not made to credit card unless a payment was taken on card in the first place. The Inland Revenue would request bank account details or send a cheque.
  • The Inland Revenue does not send HTML forms out for the user to complete, they would redirect the user to their web site http://www.hmrc.gov.uk/index.htm and expect the user to register, receive a username and passwordt throught the post and then log in securely via an encrypted connection.
  • Overpayments to the Inland Revenue can be claimed back for up to 6 years, why limit the claim to 24 hours?
  • It is unlikely that the Inland Revenue even have a record of the e-mail addresses of these users in the first.

There are other typographical issues in the e-mail such as the use of the phrase "after calculation of your fiscal activity". It is unlikely that the Inland Revenue use such a phrase in a public e-mail as fiscal is not commonly used in this context in the UK.

There were, however, some clever social engineering techniques used to convince the recipient of its validity and ultimately complete the form.

  • The e-mail address came from service@hmrc.gov.uk, an official looking e-mail address. Unfortunately, people do not realise that it is a simple task to forge an e-mail to appear to have come from anyone in this way.
  • The mail contained the recipients "tax file number (TFN): 692553841 (See the tax privacy note in the Taxpayer's declaration on page 8 of your tax refund)". If they had access to this number it must be real? No, this is a made up number and was the same in every e-mail sent out.
  • The 24-hour limitation was a clever move as it forced the recipient to make a spur of the moment decision which they may not usually have done. It also took away the ability to discuss the matter with friends and family to get their opinion on whether this was a hoax (something which appeared important, see later results on what action the phished users took).
  • Money. The offer of money is the incentive which people catches out in the majority of phishing attempts. In January 2010, everyone was feeling the effects of the credit crunch and this was amplified by the expense of the Christmas holidays so an e-mail offering 865.24 was quite welcome.
  • In order to prevent the scam from being detected too quickly the victim was told "After completing the form allow us 5-9 business days in order to process it". i.e. don't contact the Inland Revenue until your account has been compromised.

The e-mail form was convincing as it had a similar look and feel to the Inland Revenue web site.


Figure 1: Phishing web page

In fact, that is no surprise as the majority of content was being pulled directly from the Inland Revenue web site itself.


Figure 2: Source of the page

However, if the user was thinking objectively at this point, there are again several things which should have set off the alarm bells.

  • Why wasn't this critical information being sent securely via HTTPS?
  • If the Inland Revenue were really paying a refund to your credit card (unusual in the first place) why did they need your date of birth and mothers maiden name? To check your identity? Surely they would have been sure about this before sending you the e-mail offering the refund?
  • This was a refund so why was the Credit Card CVV number required?

The form also asked for the user's password. It is likely that the phisher has assumed that if the victims security knowledge is so poor they are going to respond to this attack, it is also likely, they share a password they use across multiple systems including their e-mail (to which the mail was sent).

A more technically savvy user may have spotted a few more unusual features about the page source. One piece of content not pulled from the Inland Revenue site were the Verified by Visa Logos, as can be seen below, these were sourced from the web site of UK retailer Argos.


Figure 3: Pulling in legitimate looking logos

The final giveaway in the code was the POST of the data to the remote server.


Figure 4: POSTing the results

This server was a shared hosting server located in the US which would have been highly unusual for the Inland Revenue to be using.

2. Inspecting the catch

Whilst this mail was being caught by the Fortinet FortiMail system, the first step Fortinet took to protect our customers was to create SPAM signatures to match the body and forms in the e-mail directly and push them out to the FortiGuard network. This quickly provided protection for all customers using the FortiGuard SPAM signature service. The next step was to notify the server hosting company to request that the server be taken down (which they did very quickly). However, whilst that was happening, the site was investigated and threw up some interesting information.

The phishers had failed to adequately secure their own systems and had allowed the directory structure to be browsed. This may have been deliberate to allow the information stored there to be easily recovered at a later date, however it may also suggest that the scam was operated by someone with elementary knowledge (which demonstrates just how easy it is to set up seamingly complicated scams).


Figure 5: Server listing

Within that directory structure was the file css.txt which when examined contained several thousand records along the following.

    
Bank Name: 

Email: jesus@god.com
CardHolder Name: Jesus Christ
Date of Birth: 01/01/0000
Mother Name: Mary
Address: Bethlehem
Debit/Credit Card Number: Do you think I am stupid.  Idiot phisher
Expiration Date: 10/10
Cvv: 666
VBV: sdffasf
[IP: 130.xx.xxx.xx | Date: Thu Jan 07, 2010 5:25 am ]

But amongst the obvious joke responses were what appeared to be hundreds of valid responses. A quick verification of the credit card number to exclude random numbers [3] and de-duplication of the data proved there to be 216 valid sets of data in the file. Once the relevant organisations had been made aware of the compromise, and the server had been decommissioned, Fortinet took the time to analyse this valuable source of information.

2.1 Compromised Accounts Over Time


Figure 6: Compromised Accounts Over Time

As can be seen from this graph, phisher timed the attack well. It was sent late at night so that it would be in the victim's inbox in the morning. The 24-hour time limitation on the e-mail meant that the victims had to respond quickly which meant that they got a great deal of information before the attempt was discovered [4] and the server shut down.

2.2 Compromised Accounts by Gender


Figure 7: Compromised Accounts by Gender

Not all of the submitted data could be broken down into gender, "J Bloggs" for example would be of indeterminate sex and assigned to the unknown column. Ignoring the Unknown Gender column (assuming there is an equal mix of males to females), it is surprising that females were 20% more likely victims of this scam than males (actual breakdown 40% male / 60% female). To explore this further, we broke the data down by gender and age.

2.3 Compromised Accounts by Sex and Age Range

The age ranges of under 21 and 21 to 35 were chosen deliberately. The under 21 category would include school leavers, young workers and university students, unlikely to ever have made a tax rebate claim. The cut off of 35 was chosen as the cut off age of a digital natives [5]. A digital native is a person for whom digital technologies already existed when they were born and the assumption has been that a native, having been brought up on the technology should be more skilled in operating the technology.


Figure 8: Compromised Accounts by Age and Gender

On initial viewing it appears that the digital immigrants in the 35 to 65 category were less likely to divulge the information. This may be due to being older and wiser but also just the fact that less of this age category have personal e-mail addresses.

Although maybe not immediately evident, the most shocking result is for the under 21 category. 22% of the compromised account details came from just a five-year age range (16 -21 because credit/debit cards are not available to under 16s) as opposed to a 15 year range for the 21-35 year olds. The 16-21 age range includes the digital natives brought up on internet technology so it would be assumed that internet security would be second nature. It appears however that whilst computers and the internet are second nature to this age group, internet security is rarely something which is taught but is rather learned over time and sometimes unfortunately often through experience.

Normalising to account for the size of the age range suggests the digital immigrants (35 to 65) to be the least likely victims of internet fraud however females are the most likely to become the victim in all 3 age ranges, over 40% more in the case of the under 21s and 35-65 age ranges.

3. Follow-up

In order to protect the compromised user information and to gain some further insight into why these victims may have divulged such critical personal data, Fortinet called the victims from the list to warn them of the compromise to their data and to recommend they cancel their card. The range of responses was interesting. The most frequent response was usually an expletive followed by mild panic or even tears. The second most frequent response was the stoic British upper lip of showing no emotion but politely thanking the caller. Worryingly 15% had an inkling that the site was a fake and went ahead with it anyway.

Over 1/4 of the people spoken to at this point (less than 24 hours after the email) had either realised this was a scam or told their friends or relatives about their sudden good fortune and had been put straight and had taken action to cancel their card.

There were still the few who didn't believe that this was a scam and still insisted that they were going to receive the 865.24 despite the evidence produced. The favourite response during this exercise was the gentleman who insisted he was compensated immediately for the inconvenience of being scammed.

The victims were all asked what convinced them to divulge their details via this method and the responses were not all that surprising (total not 100% as multiple reasons given). Almost 80% said money was the biggest driver for responding to the e-mail was the fact that the email looked genuine and like it was from the Inland Revenue following close behind.

4. Conclusion

It is clear from this attack that it is human nature to divulge personal information, especially when the requestor looks official and even more so when money is involved. It is also clear that internet security is not being adequately taught to the new generation of internet users who are often learning from experience (work, colleagues) or the hard way.

Internet scammers know that a large number of internet users are unaware of these kind of risks and play the numbers game by sending millions of these spams a day with the hope that a small percentage of people will fall for it. They also use social engineering techniques to hook the user (hence the term phishing) such as:

  • Customising the attack for a particular event (Tax return month, Hurricane Katrina, Super Bowl, etc).
  • Making the mail look official
  • Offering some form of financial gain to persuade the users (disaster/charity based attacks being the exception).

To protect yourself against such attacks, the following simple steps will help increase your awareness of internet security.

  • Run a firewall, antivirus and antispam solution on your PC. Fortinet is one of many vendors providing such solutions http://www.fortinet.com/ . However, just because you have a security solution however, don't think you can drop your guard.
  • Think before you open. If an e-mail gets past you antispam solution, don't assume it is safe. Think, are you expecting an email from this person or organisation?
  • Because an e-mail says it is from you bank/work/tax organization/friend, doesn't really mean it is, the same as with a letter through the door. It can be easily forged.
  • Don't trust links. When you get a mail purporting to be from your bank, hover over the links and they will usually be displayed in the bottom left hand corner of the browser. Look for unusual characters misspellings etc, if there are, it is most likely a hoax e.g.
    •    www.eloay.com                         (fake ebay)
   www.h0tma1l.com                       (fake hotmail)
   barclaysbank.random.com               (fake banking site)
   192.168.233.2/www.bankofamerica.com   (fake banking site)
    Even better, avoid following links in unsolicited e- mails. Just type the URL into the browser or use a link from your bookmarks or favourites. When accessing secure sites such as your online banking, check that there is lock is displayed next to the web site name (URL). This lock indicates the data between the site and your browser is secure and the site is who it says it is.
  • If something looks too good to be true on the internet, it generally is. Nobody genuinely offers you free money, whether it is the Inland Revenue or a Nigerian prince who needs your bank details to get $4 million out of the country (minus your 5% cut of course).
  • Don't ever divulge your personal details unless you are 100% sure of the legitimacy of the requestor and their site. If in doubt, stop, think, call the requestor.
  • If you are a parent, don't assume that your children know more than you about the internet. It is clear from this data that whilst the digital natives may be tech savvy, this study has proven that knowledge of internet security is something they are not as clued up on and is not being adequately taught. Common sens and security knowledge comes with experience so ensure that you pass this advice on.

1. http://en.wikipedia.org/wiki/Phishing
2. http://www.hmrc.gov.uk/security/index.htm
3. http://www.beachnet.com/~hstiles/cardtype.html
4. At least they would have but the compromise had been reported to the card issuers and at this point would have been made worthless
5. http://www.marcprensky.com/writing/Prensky%20-%20Digital%20Natives,%20Digital%20Immigrants%20-%20Part1.pdf