Taxation scammers open the batting for 2010

Taxation scammers have opened their 2010 innings with an email scam offering bogus tax refunds. It’s the usual trick: follow the links in the email to chase up the money you’re owed.

Bogus ATO refund

Subscribers to the Australian Government’s Stay Smart Online Alert Service will already have received an alert about the Aussie part of the scam, but Aussies aren’t the only ones being targeted. The scammers are simultaneously offering refunds in numerous other countries, including the UK, the USA, India and South Africa.

Scams targeting UK, US, IN, ZA

The email aimed at Australians links to a site which is off the air, so even incautious users who fall for the scam won’t actually end up on a phishing site; taxpayers in some of the other countries, however, might not be so lucky.

Indeed, digging into the South African flavour of the scam reveals an interesting social engineering trick, which I call “transitive phishing”.

Clicking on the link in the email takes you to a mock-up of the South African Revenue Service (SARS) website, as you might expect. But this is only a stepping stone in the scam, which explains that your refund will be paid into your bank account.

You are not asked to enter any personally identifiable information at this stage of the phish; instead, you are offered links to a range of major South African banks. If you choose one of the banks and click through, then you reach the second stage of the phish, which is a clone of your bank’s login page.

Many phishes fail very obviously because they invite you to click through to a bank with which you don’t even have an account. But in this case, you select your own bank, thus extending the potential reach of the scam. And many phishes fail because users are, at last, learning not to click through directly to banking sites from links in emails. But in this case, of course, you aren’t doing so. You left the email behind when you clicked through to the fake SARS page.

This is not a particularly subtle trick, but it does feel much more natural than clicking straight from an email into a banking site.

The fake (left) and real (right) login pages for one of the targeted South African banks are shown above. The clone site is a very realistic facsimile of the genuine page, right down to the security alert warning you that the bank “will never ask you to access internet banking through a link in an email.”

Nevertheless, the difference is obvious: the fake site is using plain old http; the genuine site is using a Secure Socket Layer (SSL) connection. Modern browsers highlight the use of SSL in the so-called chrome – the pixels which make up the browser’s own user interface components. (Embedding padlocks and related imagery in the content of a web page means nothing, so ignore any security indicators which are not part of the browser’s own property.)

Moral of the story: never allow yourself to be led to your bank’s website, no matter how believable the journey. Load up your browser and enter the URL yourself, by hand.

Never end up at your bank’s site; always start there.