Phishing gangs capitalize on upcoming UK government tax breaks

Filed Under: SophosLabs, Spam

This Saturday started quietly as expected so I had a chance to look at the BBC news headlines. One of the today's headlines indicates that the UK Chancellor, Alistair Darling, is spending weekend adding the finishing touches to a package of tax cuts and increased public spending that should help the economy get out of the recession as soon as possible.

Going back to analyse some of the latest spam messages I came across this message, quite obviously not written by anybody from the government:

Directgov phish

It is interesting to see how quickly are phishing gangs, though admittedly not very skillfully, catching up on the latest news. The recession has a definite impact on the type of spam messages we are seeing. Out with unique opportunities to make money from manipulating the values of penny stocks, in with helping people of my age group to cope with the difficulties of credit crunch.

Following the link in the email lands the browser on a page somewhat unusual for phishing. The "government" wants to know more about me to determine how big tax return can I get. It seems that men aged 31-35 are not included this time government giveaway and I find it quite disappointing. This page could either be used to collect more information for the identity theft, or simply just to make the page look a bit more legitimate, which I think is more likely in this case.

Form1 Phishing

When I briefly looked at the page source code, to make sure that there are no nasty surprises in a format of malicious Javascript code I could immediately see that the page was adopted in a rush from at least 2 other phishing kits. The first indicator is the page title "Robobank - Complete" (spelling mistake of Rabobank). Further down in the HTML source, the style sheet is taken from another phishing target The Farmers and Merchants Bank of Central California. Finally the page footer contains the link to the corporate information page of Rabobank Americas.

If this phishing gang wants higher return on their emails, they will have to improve the quality of their pages. They can still consider themselves the trend setters in the genre of government phishing, despite their unskillful work.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.