Cyber criminals domain-spoofing HMRC website to con UK taxpayers
3 April 2019
With the tax filing deadline fast approaching, cyber criminals are exploiting the occasion and are domain-spoofing the HMRC website to lure millions of taxpayers in the UK to share their personal and financial details, new research has found.
In July last year, HM Revenue and Customs (HMRC) announced that it had removed as many as 20,750 malicious websites in the previous 12 months to protect taxpayers from being defrauded by cyber criminals. These fake websites spoofed government sites to defraud taxpayers into revealing their financial information.
HMRC was also able to save more than £2.4 million by tackling fraudsters that tricked the public into using premium rate phone numbers for services that HMRC provided for free. It also implemented a verification system called DMARC that successfully stopped half a billion phishing emails from reaching customers.
A new technology that tagged phishing emails with ‘tags’ that suggested they were from HMRC and blocked such texts from reaching users also helped reduce the number of spoof HMRC-related texts by up to 90 percent. Despite these successes, HMRC didn’t claim victory over cyber criminals, stating that the battle was far from over and urged taxpayers to stay alert against financial scams in the days ahead.
“Genuine organisations like banks and HMRC will never contact people out of the blue to ask for their PIN, password or bank details. So people should never give out private information, download attachments, or click on links in emails and messages they weren’t expecting,” the department said.
Fraudsters spoofing HMRC website again to defraud taxpayers
According to a new report from Proofpoint, HMRC’s warnings turned out to be accurate as with the tax-filing deadline approaching, cyber criminals are creating hundreds of thousands of fake websites that are designed to mimic the domains of official government tax-collection departments with the hope that taxpayers will type in their financial information on their fake sites.
Cyber criminals are also using these fake websites as watering holes and infesting them with malware and credential-stealing trojans. One such malware is NetWire, a multiplatform RAT typically delivered via spammed email attachments that contain Microsoft Office files with embedded executables, including .jar files.
In order to lure taxpayers into downloaded such malware-ridden Microsoft Office files, fraudsters are also using subject lines in emails that invoke a sense of urgency or create an air of legitimacy such as “Notice of Outstanding Income Tax Demand”, “IRS Update for 1099 Employees”, or “Your IRAS 2018 Tax Report”.
According to Proofpoint researchers, to ensure that the phishing attempts remained undetected, fraudsters are also redirecting victims to the official tax authority websites after stealing their credentials. As a result, many victims were likely unaware that they had just disclosed their tax information to phishers.
“Tax season presents a host of opportunities for cybercriminals to target individuals and organisations with seemingly urgent tax-related email lures and convincing spoofs of official branding for financial theft and fraud. These attacks often use social engineering techniques in subject lines, spoofed emails addresses, and decoy links that lead to the websites of legitimate global government tax offices.
“This year we observed a seasonal increase in a tax-specific trend that Proofpoint first identified in 2018, the distribution of a variety of remote access Trojans (RATs) including Orcus Rat, Remcos RAT, and NetWire. And they aren’t limited to the United States, we’ve recently observed threat actors targeting tax payers in the UK, Australia, France, and Canada with these lures as well,” said Kevin Epstein, Vice President of Threat Operations at Proofpoint.
“As individuals finalise and file their taxes this year, it is critical that they treat unsolicited phone calls, text messages, social media posts, and emails with caution and follow up directly with tax organisations through trusted channels. We encourage security teams to adopt a people-centric cyber security approach to defend against socially engineered attacks and implement a security posture that caters to their most targeted (and vulnerable) individuals,” he added.