Chinese domains behind a third of HMRC phishing scams, finds study
31 May 2019
Internet domains based in China form a third of the top thirty malicious domains that are being used by cyber criminals to impersonate HMRC and target taxpayers based in the UK using phishing emails that contain logos of HMRC and offer tax rebates.
Earlier this year, a report from Proofpoint revealed that during the tax filing season, cyber criminals created hundreds of thousands of fake websites that were designed to mimic the domains of official government tax-collection departments with the hope that taxpayers will type in their financial information on their fake sites.
According to Proofpoint researchers, to ensure that the phishing attempts remained undetected, fraudsters redirected victims to the official tax authority websites after stealing their credentials. As a result, many victims were likely unaware that they had just disclosed their tax information to phishers.
“Tax season presents a host of opportunities for cybercriminals to target individuals and organisations with seemingly urgent tax-related email lures and convincing spoofs of official branding for financial theft and fraud. These attacks often use social engineering techniques in subject lines, spoofed emails addresses, and decoy links that lead to the websites of legitimate global government tax offices,” said Kevin Epstein, Vice President of Threat Operations at Proofpoint.
A third of fraudulent domains are registered in China
A fresh study conducted by Corin Imai, senior security advisor at DomainTools, of the top 30 fraudulent domains that spoof HMRC’s domain has revealed that out of the thirty domains, ten are registered in China, ten have no registered country of origin, and two each are registered in the United States and in the UK.
Imai noted that cyber criminals and fraudsters use fake domain names that are very similar to genuine domains owned by government departments such as HMRC or the IRS. For instance, the domain hmrc-refund.co[.]uk was created with the purpose of sending fraudulent emails tricking individuals into thinking HMRC have been in contact to issue them with a tax rebate.
There are as many as 108 fake and fraudulent domains on the web that use the registered contact name “HM Revenue & Customs” in order to appear legitimate or to deceive taxpayers. Imai’s research also revealed that as many as 353 fake domains shared the same IP address, 80 of which were blacklisted and another 80 potentially being used for phishing, malware, or spam.
She noted that aside from targeting UK taxpayers by impersonating HMRC, regular spammers and cyber criminals are also domain-spoofing a large number of global organisations to defraud their customers and obtain their personal and financial information. These organisations include Apple, Google, RBC bank, Fedex, Fidelity and a number of other banks and financial services.
Last year, in an effort to prevent fraudsters from defrauding innocent taxpayers, HMRC removed as many as 20,750 malicious websites, many of which spoofed government sites to defraud taxpayers into revealing their financial information.
While HMRC was able to save more than £2.4 million by tackling fraudsters that tricked the public into using premium rate phone numbers for services that HMRC provided for free, it also implemented a verification system called DMARC that successfully stopped half a billion phishing emails from reaching customers.
HMRC domain-spoofing is here to stay
Despite HMRC cracking down on fake and fraudulent domains, Imai believes that the practice of domain-spoofing will not cease because of the ease with which cyber criminals can build new phishing websites and carry out large-scale phishing campaigns.
“Cybercrime is no different to other criminal activities; The bigger the better. The cybercriminals who run these scam websites may themselves not be part of larger cybercrime gangs or organisations, but the networks of malicious websites they have built mean they do not necessarily have to be.
“The ease with which phishing websites can be built, and the step-by-step guides available on the dark web as to how to carry out phishing campaigns mean that even relative amateurs can create vast networks of fraudulent websites.
“If one of these websites is blacklisted as we have seen above, there are still hundreds of others attempting to phish unwitting customers of some of the world’s largest brands and organizations. While HMRC scams are certainly the most visible scams in the UK, the tentacles of these cybercriminals spread much, much further,” she says.