A Petty Blog

I only see the rare spam that gets through all the filters on Gmail and my company’s Exchange server. This one gave me a start - I did have a complicated return last year, and this year will be even worse.

From: Internal Revenue Service [mailto:no-reply@irs.gov]
Sent: Tuesday, May 05, 2015 9:59 PM
To: Doe, John
Subject: Notice of Underreported Income

 

Taxpayer ID: john.doe-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: john.doe-00111174073547US

Internal Revenue Service

It startled me just for a second.  It has all the clues one needs to avoid being duped.

• It’s an email.  The IRS just doesn’t work that way.
• It’s an email to my company address.  The IRS doesn’t work that way.
• It wants me to click something.  No legitimate business works that way these days.

• As a bonus, check out the Sent date - apparently, I will be evading my taxes six years from now!

The URL is http://www.irs.gov.hyu11hep.eu/fraud_application/directory/statement.php?email=john.doe@company.com&tid=john.doe-00111174073547US

• This URL is clearly bogus.  Remember, addresses read right to left - top level domain (.com, .gov, etc) then domain. Everything else is optional and flexible.  So, this one is “stuff” at  hyu11hep.eu.  Again, not as expected for the IRS.
• Everything after the “?” is instructions to the program that renders the page.  The name, email, and supposed taxpayer id can all be echoed back to you.

As always, Google is your friend.  Search for a couple of key words “hyu11hep.eu fraud_application” and you get a telling scorecard - PhishTank, Malware Domain List, abuse.ch ZeuS Tracker.

Here’s a screenshot courtesy of PhishTank.  As a final insult, the instructions are to download and execute your tax return.