Tax season, the time of year you find out your filing system isn’t as organized as you thought and you’re left scrabbling around trying to find the necessary documents to submit your tax return.

That’s not to say we’re not given ample warning by HMRC, who send dozens of notifications via post, email, SMS and social media as well as other modes. HMRC do their best to fully inform taxpayers of upcoming deadlines, so much so that 94% of taxpayers file their taxes on time. But due to the comprehensiveness of their communications campaign, fraudsters have recognized the tax season as an opportunity to pry Personally Identifiable Information (PII) from people.

The problem is vast, and growing at an alarming rate. Wake Up to Money, a BBC Radio 5 program, reported that cases of HMRC scams neared 85,000 per month in 2018, compared with 70,000 per month in 2017.

HMRC has been tackling phishing emails, smishing and more recently cold calling by working with third parties to take down phishing sites and disconnect phone lines associated with scams.

The self assessment tax return deadline has been and gone (31st January), but there will undoubtedly be a few stragglers still submitting their returns; the Wandera Threat Research Team thought it would be opportune to discuss some of their phishy findings.

What did Wandera find about HMRC tax phishing?

The hypothesis was that after the tax deadline, there would be an increase in phishing sites dedicated to tax refunds / rebates.

Our data demonstrated this to be true.

Overall, there was an uptick in the number of tax-related phishing sites in March 2019 relative to previous months, with a higher proportion of these sites dedicated to tax refunds/rebates.

The danger of the tax rebate phishing sites is that they request PII (name, address, phone number, email) as well as credit card details to provide taxpayers their “refunds”.

With other regularly used sites, like Amazon and Google, targets of a phishing attack are likely to have a better understanding of the user experience and associated processes (checkouts, verification, etc.). However, self assessment tax returns come but once a year, so users are less likely to be familiar with the process and, therefore, more vulnerable to phishing.

And this is just for the online tax return. The UK tax system is notoriously opaque, which allows scammers to take advantage of the lack of public understanding.

The Technical Findings

Almost all the phishing sites found were using a lower-level subdomain – 4th, 5th, 6th:

online.hmrc[.]gov[.]uk.account[.]login[.]level7[.]co[.]in

The above domain is a good example of a URL structured for deception. Using online.hmrc.gov.uk as a series of deeper subdomains gives the impression that the site is in some way connected to the government body. URLs of this kind are particularly problematic on mobile devices, where the URL is cut off due to the size of the screen. If a user is browsing in a distracted state, it’s very easy for them to be deceived by this tactic.

The domains Wandera detected do not stem from a single source, but rather from a combination of known and unknown potentially malicious registrants—and not one of these was associated with any official government bodies.

The Wandera Threat Research Team also detected a number of zero-day threats throughout the course of its research (see Appendix).

It’s unlikely unwitting victims are typing these domains directly into their browsers, being served them on Google or stumbling across them on Facebook. So how are they navigating to these sites?

Email has been the bread and butter for phishers for a long time. The Government has a site dedicated to raising awareness for scams and provides examples, but our Threat Research Team has broken down a couple of HMRC phishing emails they spotted.

HMRC Phishing Emails

The example emails below aren’t necessarily connected with the aforementioned campaigns, but they do provide an idea of the tactics used by fraudsters to capture details.

Email 1

hmrc-phishing-email-1

The email sender in this case was OfficeOfTaxRefund-uniqueID-1349188736@cityftmyers[.]com, a seemingly gobbledegook address apart from the strategically placed ‘OfficeOfTaxRefund’ part at the start. However, ‘cityftmyers.com’ is the official domain of the city of Fort Myers, which may mean the email address has been spoofed or email server has been compromised. Either way, the use of cityftmyers.com is likely used to add credibility to the phishing campaign.

In this particular email, there are a number of inconsistencies that raise red flags, such as the password-protected PDF with the password in plain text in the email, expiry dates failing to match, email address used to address the recipient, and generally poor grammar.

If nothing else raises suspicion, the password-protected PDF (from an unknown sender) really should. The phishing links themselves are in the PDF, which contains 13 links pointing to various phishing pages:

  • secured[.]tax[.]refund[.]notification[.]placeholder[.]randyburg[.]com/home/external/
  • department-tax-refund-support-gov-uk[.]placeholder[.]randyburg[.]com/[.]govuk/
  • bgcnr[.]org/derere/logs/
  • getaway-hm-revenue-admin-refund[.]placeholder[.]randyburg[.]com/[.]gatukadm/snes/
  • tax-hm-revenue-govuk-refund[.]diamondmover[.]com/home/hukaep/
  • 0467245847056864790[.]is-an-accountant[.]com/wp-content/themes/zwaters/HM/
  • tax-secured-hm-revenue[.]refund[.]cchasports[.]com/[.]laieukw/vipei/
  • hm-access-revenue-support-uk[.]splashzonetx[.]com/[.]apuk/neuosp/
  • hm-tax-revenue-supp-on-adm-uk[.]pbmsim[.]com/[.]vkwuep/external/
  • usrmep-janeuox-demepqi-por-swnep[.]shadowasylum[.]net/[.]nvuka/external/
  • dep-secured-hmrev-uktax-onadm[.]shadowasylum[.]net/home/accmac/
  • japsep-cerep-snmape-btrecua-slmeq[.]shadowasylum[.]net/[.]brsuk/external/
  • mhieu-beoqem-cmeopaw-slpekqms-bentpsw[.]shadowasylum[.]net/[.]arstw/bropa/

Despite these links not being detected by other vendors, the domains themselves are known to be malicious, meaning that:

  • mhieu-beoqem-cmeopaw-slpekqms-bentpsw[.]shadowasylum[.]net

is not detected as phishing but:

  • shadowasylum[.]net

is known as a malicious domain.

Email 2

hmrc-phishing-email-2The email comes from noreply@hmrc-tax-gov[.]co.uk, a domain that has been suspended by the registrar, but it doesn’t seem like a suspicious email address on face value.

The email contains two phishing links masked as legitimate links, the first being:

  • xn—07aaa[.]xn--hmr-szc[.]xn--gv-fmc[.]uk

With the anchor text as:

  • ԝԝԝ.hmrσ[.]gоv[.]uk

On closer inspection, there are some suspicious characters, namely the www, c and o in the URL, in which the phisher has used punycode to mask the actual URL.

There are two instances of another link embedded in the PDF:

hmrc-tax-phishing-pdf

  • hmrc-tax-goverment[.]roomsurance[.]com/?lbs

This link is known to be phishing and this particular domain is related to a known malicious PDF.

But email isn’t the only form of delivery, there is also text.

HMRC Smishing

SMS phishing or smishing is a form of attack exclusive to mobile devices, one that is often overlooked, but not by HMRC…

HMRC has been working with various partners to put a halt to smishing campaigns by identifying ‘tags’ that suggest texts are from HMRC and preventing them from being delivered, leading to a 90% reduction in spoofing reports.

Nevertheless, there is still that 10% of texts that slip through the net and wind up on taxpayers’ devices, potentially posing a threat. We’ve found a few HMRC smishing examples in the wild:

How to protect against HMRC tax phishing?

As always, there are general rules of thumb that need to be applied when looking out for phishing scams. HMRC has a microsite dedicated to helping taxpayers identify phishing scams as well as providing contact details for reporting them. They’re also pretty explicit about what they do and do not send people, and emails on tax rebates is one of them:

It is very tempting to act on an email that is offering free money, especially when you feel you’re due a tax rebate. Don’t let your eagerness get the better of you and consult the HMRC directly.

Appendix

Subset of some of the tax refund domains detected by Wandera:

  • govuk[.]hmrc[.]online[.]refund[.]form[.]p60[.]ref5300655[.]f0rm60[.]com
  • govuk[.]hmrc[.]online[.]refund[.]form[.]refp60[.]121[.]ecetdirectuk[.]com
  • hmrc[.]pendingrefund[.]online
  • hm-revukgovrefunds[.]com
  • gov1[.]tax-refund[.]services
  • hmrevenue[.]pendingrefund[.]online
  • hmrevenueuk[.]pendingrefund[.]online
  • hmrevenueuk[.]servicerefund[.]info
  • gov[.]uk[.]secure[.]refundform[.]ref678432[.]bigtechbintulu[.]tech
  • irs-refund[.]kusseverler[.]com
  • hm-revukgovrefunds[.]com
  • refund-gov-uk[.]tax
  • refund-overpayment-process[.]berryspells[.]com
  • hmrc[.]gov[.]uk-tax-return[.]leesons[.]com[.]au
  • online[.]hmrc[.]gov[.]uk[.]account[.]login[.]level7[.]co[.]in
  • gov[.]uk-money-and-tax-self-assessment[.]migorengasik[.]org
  • hm[.]online[.]gov[.]uk[.]tax-refund[.]cont-gover[.]hakmnews[.]com
  • gov.uk-hmrc-warns-on-tax-refund[.]desc666[.]co.uk
  • gov[.]uk-hmrc-warns-on-tax-refund[.]wfkrqdgz[.]net
  • gov[.]uk[.]tax[.]refund[.]application[.]balajipipe[.]in
  • department-tax-refund-support-gov-uk[.]placeholder[.]randyburg[.]com
  • secured[.]tax[.]refund[.]notification[.]placeholder[.]randyburg[.]com
  • refund-hmrc-tax-support-admin.placeholder[.]randyburg[.]com
  • gov[.]uk[.]tax[.]refund[.]online[.]ssl[.]eldwa[.]com
  • hmrc[.]gov[.]uk[.]yardy[.]net
  • refund-form[.]hmrc[.]gov[.]uk[.]21371623786123618237681273[.]kenmayercpa[.]com
  • refund-form.hmrc[.]gov[.]uk.21371623786123618237681273[.]zondatec[.]com
  • hmcustoms[.]gov[.]uk[.]claims-tax-refunde[.]overview[.]oxuns[.]net
  • onlinetaxrefundsystemverification[.]victoriahaneveer[.]com
  • taxrefundonlineverificationsubmit[.]timbuchinger[.]com
  • taxrefundonlineverificationsystems[.]dealingwithautism[.]org
  • gov[.]co[.]uk-tax-return-application-hm-rc-p60-form-secure-login[.]gov[.]uk[.]desproj[.]com
  • gov[.]uk[.]hm[.]revenue[.]tax[.]return[.]application[.]securessl[.]thejournalists[.]org
  • gov[.]uk[.]personal-tax-account-hmrc-refund[.]profileipsodopa[.]com
  • gov[.]uk[.]personal-tax-account-hmrc-refund[.]support291[.]com