Application security, Incident Response, Malware, Phishing, TDR

IRS phishing scam targets stimulus payments

As might be expected, email users are beginning to see the first stages of what is expected to be a major phishing attack capitalizing on the populace's eager expectation of IRS refund checks, as well as the Bush administration's economic stimulus payment distribution, scheduled to begin May 2.

Similar to other iterations of this scheme, this one also has an IRS logo at the top of the message copied directly from the IRS website, according to an entry on the MX Logic IT Security Blog.

Researchers at MX Logic report that samples they are seeing allege to be from "[email protected]" and have a subject line of "2008 Economic Stimulus Refund."

The phish content says something like: "Over 130 million Americans will receive refunds as part of President Bush's program to jumpstart the economy." Or, "Our records indicate that you are qualified to receive the 2008 Economic Stimulus Refund," or some variation along these lines.

But by clicking on the link, instead of a payoff, unwary computer users land on a prototypical phishing site, said MX Logic.

Once there, they are prompted to enter their bank routing number and checking account number with the promise that the rebate will be directly deposited into their checking account.

Sam Masiello, director of threat management at MX Logic, told SCMagazineUS.com today that his company expected to see these sorts of scams emerge at this time after last month's deluge of phishing spam in advance of the April 15 tax deadline.

The $168 billion expected to be dispersed via this economic stimulus payment distribution is quite an incentive for cyberthieves preying on email users, says Masiello. He added that the tactic of establishing a sense of urgency to trick end-users may prove to be effective.

In fact, this reporter received two versions of this scheme today (see image) allegedly from "Internal Revenue Service (IRS) <[email protected]>." Fortunately, clicking through on the link is denied by the corporate network protection here.

While there may not be a lot that consumers can do to block these phishing emails from coming into their inboxes, a page on the IRS website offers consumers a way to at least report the receipt of phishing scams. By doing this, the IRS said, it can "...use the information, URLs and links in the suspicious emails you forward to trace the hosting website and alert authorities to help shut down the fraudulent sites."

"This is largely an education issue," said Masiello. "End-users need to be alerted to the fact that the IRS will never communicate via email. The IRS does not know, nor does it care to know, your email address. Getting word out is key."

This is about the time that Masiello expected to start seeing these scams start coming out, and this certainly won't be the last of them, he said -- especially since the distribution of the stimulus payments is expected to last a couple of months.

And what's to come? Masiello warned that he expects there to be a follow-up to this current tax refund scam. "Be on the lookout for potential scams that try to get people to invest their tax refunds in fraudulent schemes."

Also, he said, other likely possibilities in the near future are the return of stock pump-and-dump scams and a blast advertising retail gift cards that promise extra bonuses.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.