Adventures in Spam Land: Phishing Attempt Allegedly From “IRS.com”

Legal Disclaimer:
The article below describes my attempts to understand the origin of a fraud attempt made against my organization this morning. The article is not meant to defame any legitimate businesses whose domains may have been spoofed by a third party.

This article is for information/entertainment purposes only, and is provided “as is” without warranty of any kind! Any links or references to external sites are publicly available and provided solely for the convenience of the reader.

All third party content in this article is property of its respective copyright holders. I am not affiliated with any of the sites linked, and make no guarantees or warranties pertaining to these sites or their contents.

It’s tax season again, and for information security professionals, it means a whole slew of new phishing and identity theft attempts!

This morning, “webmaster@irs.com” sent 13 emails to my organization to advise the recipients that our tax appeal was rejected. Of those attempts, 3 got through before the Bayesian spam filter kicked in and blocked the rest.

Dear business tax payer, 

Hereby you are informed that your Tax Return Appeal id#0565677 has been DECLINED.  If you believe the IRS did not properly assess your case due to a misunderstanding of the situation, be ready to clarify and support your position. You can access the rejection report and re-submit your appeal by using the following link Online Tax Appeal [link omitted].

Internal Revenue Service 

 

Telephone Assistance for Businesses:

Toll-Free, 1-800-XXX-XXXX
Hours of Operation: Monday – Friday, 7:00 a.m. – 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

Just for fun, I decided to see how far down the rabbit hole leads:

Source IP: 87.120.210.83 (Host in Bulgaria)

Domain Registrar Information for irs.com:

Registration Service Provided By:
DOTTED VENTURES
Contact: +1.4159629700
Website: http://www.dottedventures.com
Domain Name: IRS.COM

Registrant:
Banks.com
222 Kearny Street, Suite 550
San Francisco, CA, 94108
Tel. +415.9629700
Creation Date: 28-Jan-1999
Expiration Date: 04-Dec-2014


Domain servers in listed order:
ns10.dnsmadeeasy.com
ns11.dnsmadeeasy.com
ns12.dnsmadeeasy.com
ns13.dnsmadeeasy.com
ns14.dnsmadeeasy.com
ns15.dnsmadeeasy.com

Administrative Contact:
Banks.com
222 Kearny Street, Suite 550
San Francisco, CA, 94108
Tel. +415.9629700
Creation Date: 28-Jan-1999
Expiration Date: 04-Dec-2014

Billing Contact:
Banks.com
222 Kearny Street, Suite 550
San Francisco, CA, 94108
Tel. +415.9629700
Creation Date: 28-Jan-1999
Expiration Date: 04-Dec-2014

As it turns out, irs.com is an HTTP redirect to banks.com/taxes.

At the very bottom of the page, they made it a point to put in the following disclaimer:

“This site is in no way associated with or endorsed by the United States Treasury Department or the Internal Revenue Service.”

 

Instead of putting it in plain text, it was actually an image with the ALT text description, “Disclaimer.” The only reason I can think of that someone would want to do that is to omit it from search engine spidering, but I would be hard pressed to think of a legitimate reason why a business would try to obfuscate the contents of a disclaimer like that!

There’s also a Better Business Bureau logo at the bottom. I went to bbb.org expecting to find a slew of fraud complains. Instead, I found that they’ve actually got an A+ rating!

Questionable SEO choices notwithstanding, I won’t speculate further on the legitimacy of Banks.com, Inc, but I will contact the proper authorities (the IRS) and let them sort it out.

Next steps:

The best thing to do with an email claiming to be from the IRS is to forward it to phishing@irs.gov. The IRS’ information security team will review it and take further action from there. 

Leave a Reply

Your email address will not be published.