Tuesday, September 25, 2007 1:49 PM cmosby

McAfee Avert Labs Blog - $109.30 in 2 minutes … IRS refunds attack

 

$109.30 in 2 minutes … IRS refunds attack

Monday September 24, 2007 at 9:16 am CST
Posted by Chris Barton

Trackback

Phishers today are targeting the IRS with a large phish attack. So far it is spread over 25 domains. The phish offers victims $109.30 refund directly to their credit card for filling in an online form. How convenient ;)

Here is an XYZ-obscured list of domains currently in use.

10361irsfundXYZ.com
13031irsfundXYZ.com
1412irsfundXYZ.com
16268irsfundXYZ.com
17389irsfundXYZ.com
21817irsfundXYZ.com
34042irsfundXYZ.com
37903irsfundXYZ.com
39621irsfundXYZ.com
4331irsfundXYZ.com
49383irsfundXYZ.com
55005irsfundXYZ.com
59631irsfundXYZ.com
61819irsfundXYZ.com
66725irsfundXYZ.com
66731irsfundXYZ.com
7148irsfundXYZ.com
7685irsfundXYZ.com
77452irsfundXYZ.com
79463irsfundXYZ.com
84131irsfundXYZ.com
87655irsfundXYZ.com
91767irsfundXYZ.com
93181irsfundXYZ.com
93189irsfundXYZ.com

Example below:

IRS Phish

As is usual these days for this sort of attack the phishers are using a whois privacy service, in this instance register.com’s $9 registration masking service… Again. We’ve seen a number of similar attacks recently. I wonder why they bother paying extra for such things when they are trivially forged.

…There I go again, assuming THEY actually pay.

Oh while we’re on the subject F-Secure have a cute blog on using google to catch paypal phish. Note the “Results: 1-10″ … Ten. Guys, there are 259 other active phish on that server alone. Googlejuice is for wimps ;)

Source: Computer Security Research - McAfee Avert Labs Blog

Filed under:

Comments

No Comments