Tuesday, September 25, 2007 1:49 PM
cmosby
McAfee Avert Labs Blog - $109.30 in 2 minutes … IRS refunds attack
$109.30 in 2 minutes … IRS refunds attack
Monday September 24, 2007 at 9:16 am CST
Posted by Chris Barton
Trackback
Phishers today are targeting the IRS with a large phish attack. So far it is spread over 25 domains. The phish offers victims $109.30 refund directly to their credit card for filling in an online form. How convenient 
Here is an XYZ-obscured list of domains currently in use.
10361irsfundXYZ.com
13031irsfundXYZ.com
1412irsfundXYZ.com
16268irsfundXYZ.com
17389irsfundXYZ.com
21817irsfundXYZ.com
34042irsfundXYZ.com
37903irsfundXYZ.com
39621irsfundXYZ.com
4331irsfundXYZ.com
49383irsfundXYZ.com
55005irsfundXYZ.com
59631irsfundXYZ.com
61819irsfundXYZ.com
66725irsfundXYZ.com
66731irsfundXYZ.com
7148irsfundXYZ.com
7685irsfundXYZ.com
77452irsfundXYZ.com
79463irsfundXYZ.com
84131irsfundXYZ.com
87655irsfundXYZ.com
91767irsfundXYZ.com
93181irsfundXYZ.com
93189irsfundXYZ.com
Example below:
As is usual these days for this sort of attack the phishers are using a whois privacy service, in this instance register.com’s $9 registration masking service… Again. We’ve seen a number of similar attacks recently. I wonder why they bother paying extra for such things when they are trivially forged.
…There I go again, assuming THEY actually pay.
Oh while we’re on the subject F-Secure have a cute blog on using google to catch paypal phish. Note the “Results: 1-10″ … Ten. Guys, there are 259 other active phish on that server alone. Googlejuice is for wimps
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Spam\Phishing