Scam Mail targeting Indian users “Tax Refund Online Form”

Written by traversecode on January 27, 2010. Posted in Phishing Analysis

Before I could proceed this analysis I would like to thank my friend who forwarded this mail.

So what does the mail contain?

This mail targets Indian users to steal the Bank credentials by using Tax Refund scam technique. As this is a season for tax submission and receiving Tax refunds from Tax department of India, such Cyber criminals use this period to steal money by fooling innocent people.

Here is the screen shot of the mail,

In the above mail the sender has used proper email address of the Tax helpdesk which made me to think what if it is not a scam but original. Then I researched on the source header of the mail which confirmed that this mail was not sent by the Tax Helpdesk and it was sent from “webmail.kmf.it”.

Then it says, the receiver of this mail is eligible to get an amount which has to be claimed through an online form. The online form link is pointed to a secured URL “hxxps://216.127.158.251/fog.htm” which uses SSL connection and then it redirects to a phishing site of Income Tax department website “hxxp://taxrefundindias.com/iti/” which imitates the original website.

The funniest part here is the domain is registered on 26th of Jan 2010. Which gives me 100% assurance that it is a phishing website. Moreover this is a zero day analysis for me as I’ve analyzed it on the same day ;-)

Screen shot of the phishing page is given below,

When I clicked on the “Tax Refund Online Form” link, it took me to the next page which asked to enter My personal information and Bank credentials.

When I entered a Junk information, the remote server did not validate whether the information is correct or wrong. Now let me go check the network capture.

In the capture “done.php” is responsible to receive the stolen information and it replies back the user with a URL which redirects to the legitimate Income Tax Department website to make the user believe that they have submitted the Tax Returns form in the original site.

Conclusion:

This analysis is not too techie like Traversing code, but I am doing such analysis to create awareness to people who are not too techie and trusts such scam mails and become victim. Please follow few precautionary steps before even entering your Financial credentials. Spend some time to research and check if it is really legitimate or a scam. No Companies or Institutions will ask for your personal information without even registering you on the site. Also the proper mail will address by your name if they have actually sent the mail to you.

Trackback from your site.

Comments (8)

Muslim Koser

January 27, 2010 at 10:33 AM | #

Hi Shiv,

Nice analysis, just one suggestion, if you can put screenshots bigger it will help, as currently they are very small and on Zoom the contents are unreadable.

Best
MK

Reply
- Shiv - Threat Research Analyst
  
  January 27, 2010 at 11:42 AM | #
  
  I thought the image would zoom in once you click on the images. But I’ve implemented the changes. Thank you Koser and thanks for the feedback.
  
  Reply
Sujatha

January 28, 2010 at 11:34 PM | #

Niche post siva keep it up

Reply
- Shiv - Threat Research Analyst
  
  January 29, 2010 at 12:18 AM | #
  
  Thank you Sujatha..
  
  Reply
Krishna

January 31, 2010 at 10:14 AM | #

hi siva,

this is really superb keep it up

Reply
- Shiv - Threat Research Analyst
  
  January 31, 2010 at 2:08 PM | #
  
  Thank you Krishna..
  
  Reply
loans

March 9, 2010 at 4:01 PM | #

I want to thank the blogger very much not only for this post but also for his all previous efforts. I found traversecode.com to be very interesting. I will be coming back to traversecode.com for more information.

Reply
- Shiv - Threat Research Analyst
  
  March 9, 2010 at 4:15 PM | #
  
  Thank you so much for the feedback Joen. Please do visit my blog frequently.
  
  Reply

Comments (8)

Leave a comment