Before I could proceed this analysis I would like to thank my friend who forwarded this mail.
So what does the mail contain?
This mail targets Indian users to steal the Bank credentials by using Tax Refund scam technique. As this is a season for tax submission and receiving Tax refunds from Tax department of India, such Cyber criminals use this period to steal money by fooling innocent people.
Here is the screen shot of the mail,
In the above mail the sender has used proper email address of the Tax helpdesk which made me to think what if it is not a scam but original. Then I researched on the source header of the mail which confirmed that this mail was not sent by the Tax Helpdesk and it was sent from “webmail.kmf.it”.
Then it says, the receiver of this mail is eligible to get an amount which has to be claimed through an online form. The online form link is pointed to a secured URL “hxxps://220.127.116.11/fog.htm” which uses SSL connection and then it redirects to a phishing site of Income Tax department website “hxxp://taxrefundindias.com/iti/” which imitates the original website.
The funniest part here is the domain is registered on 26th of Jan 2010. Which gives me 100% assurance that it is a phishing website. Moreover this is a zero day analysis for me as I’ve analyzed it on the same day ;-)
Screen shot of the phishing page is given below,
When I clicked on the “Tax Refund Online Form” link, it took me to the next page which asked to enter My personal information and Bank credentials.
When I entered a Junk information, the remote server did not validate whether the information is correct or wrong. Now let me go check the network capture.
In the capture “done.php” is responsible to receive the stolen information and it replies back the user with a URL which redirects to the legitimate Income Tax Department website to make the user believe that they have submitted the Tax Returns form in the original site.
This analysis is not too techie like Traversing code, but I am doing such analysis to create awareness to people who are not too techie and trusts such scam mails and become victim. Please follow few precautionary steps before even entering your Financial credentials. Spend some time to research and check if it is really legitimate or a scam. No Companies or Institutions will ask for your personal information without even registering you on the site. Also the proper mail will address by your name if they have actually sent the mail to you.
Trackback from your site.