This time, the Brits get free money!

A new UK focused spam run is hitting spam traps and inboxes this morning. In what has become standard phishing style and very similar to the Australian tax spam last month, this time it is the British who qualify for a “tax refund”.

 

The original spam mail (below) purports to come from Her Majesty’s Revenue & Customs, and promises the recipient a tax refund. It comes complete with the correct address of the Tax Credit Office in Preston, UK and a working telephone number for the tax credit helpline.hmrcmail

 

If the recipient is taken in by the email, an opens the suspiciously named (payment_form.pdf.html) attachment, they will be asked to surrender all the information necessary for credit card fraud, up to and including mother’s maiden name and CVV code (the numeric code printed on the back of the credit card).

Click to enlarge

Click to enlarge

 

The web form is based on an American template, which can be seen from the telephone number format, indeed a quick squint at the html code reveals that it is using style sheets imported from www.irs.gov. However the original email was created using Windows charset 1251, which is the character encoding designed to cover the Cyrillic alphabet, I’ll leave you to draw your own conclusions about the origin of the message.

 

 

Again, a brief look at the html code behind the web form will tell us exactly where your information would be going, and it certainly isn’t On Her Majesty’s Service.

htmlcode4 

 

At the time of writing, there is no server responding at this malicious destination. We have informed HMRC of this fraudulent email, for further information from HMRC, please see http://www.hmrc.gov.uk/security/spoofs.htm

 

Thanks to Rishi for sending me the original sample mail.

One thought on “This time, the Brits get free money!

  1. Pingback: This time, the Brits get free money! » Counter Measures « Jared Rimer’s Technology blog and podcast

Leave a Reply

Your email address will not be published. Required fields are marked *

*