Home / Technology / Phishers are getting smarter: a tweaked IRS W-8 form is the proof

Phishers are getting smarter: a tweaked IRS W-8 form is the proof

Powered by Guardian.co.ukThis article titled “Phishers are getting smarter: a tweaked IRS W-8 form is the proof” was written by James Ball, for guardian.co.uk on Tuesday 12th March 2013 11.14 UTC

So-called “phishing” emails – messages aimed at stealing personal or financial information by spoofing – are a common menace on the internet, though one that’s usually easily dismissed: most are littered with typos, odd requests, or unconvincing sender email addresses. (The ones pretending to be from PayPal or Amazon, for example, never have your username from the site – because that’s the one detail the phishers don’t have. Watch out for it.)

But those adopting this form of attack, which grew out of the now notorious 419 emails which promise their targets a share of millions if they’ll just wire a few thousand as an “advance fee”, are getting increasingly sophisticated.

Take this email which fell into my inbox over the weekend, apparently from the US’s Internal Revenue Service (IRS). The “From” and “Reply-to” fields of the email had both been made to look as if they came from the appropriate irs.gov domain, and the body of the message was a correctly-spelled jumble of incomprehensible legalese – not far different from any genuine email from any tax authority the world over.

But it’s only in the PDF attachment (which was checked for viruses and other nasties before opening) that things get really interesting. The form is named and laid out almost exactly like a genuine IRS tax form – but with one particular section, Part II, normally headed “Claim of Tax Treaty Benefits” that would normally ask for banal questions about beneficial owners replaced with a series of far more detailed questions than the real tax authority would want to know (bank details, mother’s “median” [sic] name, passport number, and more).

The form also relied on being returned by fax, rather than email – doubtless a hassle for sender and recipient alike, but perhaps a good trick to engender some trust by adding a bureaucratic hurdle.

A reverse lookup on the number, +1-705-242-0430, on the fax initially suggests it’s a landline in Orillia, Ontario – but when you look more closely you discover that the number is assigned to Iristel, a Canadian VOIP provider. No doubt the phishers have hired the phone number which directs to a fax somewhere else in the world. From the pricing, it costs about $12 per month – chickenfeed if they catch even a single person and clean out their bank account. There’s no suggestion Iristel is involved in the scam. When the Guardian dialled the number, it did respond with a fax tone, though it may have been connecting to a virtual fax.

Still more intriguing to me, though, was whether this was a targeted attempt to phish me, rather than a generic attack sent to thousands of people – a practice known as “spear phishing” (geddit?). This is always tricky to pick up, but the signs in favour are firstly that my Guardian colleagues were not troubled by a similar email, and the form’s filename is specifically marked as “UK”.

The second is that the email was demanding details for those who had been in the US, needed to collect income or expenses, and been an alien on a non-resident visa. That isn’t a huge group for a wild goose chase, but is one which does happen to include me, as I spent four months in the US last year.

We’ve shared the phishing PDF in a document below, alongside the real IRS form it mimics, as an example of the growing elaboration of such attacks. If you’ve received similarly sophisticated attacks (or this one itself), please do let us know down in the comments – and if you’ve got the message text, so much the better.
Here’s the real form:

And now here’s the phishing version:

(Obviously, if you received the latter version and faxed the form off, contact your bank and credit card provider urgently.)

guardian.co.uk © Guardian News & Media Limited 2010

Published via the Guardian News Feed plugin for WordPress.