{"id":13358,"date":"2018-09-14T09:10:07","date_gmt":"2018-09-14T17:10:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/09\/14\/news-7125\/"},"modified":"2018-09-14T09:10:07","modified_gmt":"2018-09-14T17:10:07","slug":"news-7125","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/09\/14\/news-7125\/","title":{"rendered":"HMRC phish swipes email login, payment details"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Fri, 14 Sep 2018 16:00:00 +0000<\/strong><\/p>\n<p>It&#8217;s not tax season in the UK, but that hasn&#8217;t deterred scammers from sending out mail looking to swipe both card details and email logins in one fell swoop.<\/p>\n<p>The email, which claims UKGOV has issued a tax refund to the tune of 542.94 GBP, arrives under the following title, which is spectacularly poorly formatted:<\/p>\n<blockquote>\n<p><em>[RCPT-07010144] processed your automatic payment is available &#8211; &#8220;Subscription- 10 SEPTEMBER 2018&#8243;[Email No.&#8217;6922&#8242;]<\/em><\/p>\n<\/blockquote>\n<p>The body content states that recipients can reclaim the cash by logging in on their &#8220;gateway portal.&#8221; Better make haste though, as (in our case) the mail has a same day expiration date for the ability to put in a claim.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail.jpg\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25487\" data-permalink=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/attachment\/fakehmrcemail\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail.jpg\" data-orig-size=\"1151,838\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Fake email\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail-300x218.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail-600x437.jpg\" class=\"aligncenter size-medium wp-image-25487\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail-300x218.jpg\" alt=\"Fake email\" width=\"300\" height=\"218\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail-300x218.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail-600x437.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/fakehmrcemail.jpg 1151w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p style=\"text-align: center\">Click to enlarge<\/p>\n<p>Typically, we tend to see time limits of a few days on fake mails such as this one, so they&#8217;re really relying on pressure to get the job done here. We suspect anyone else receiving one of these will find themselves faced with a similarly pressing deadline.<\/p>\n<p>Unlike many boilerplate tax phishes, we&#8217;re not sent directly to a fake HMRC page to enter card details.<\/p>\n<p>With this scam, the first point of entry is on an imitation Outlook login, where potential victims are asked for their email address and password.<\/p>\n<p>The scam site is located at:<\/p>\n<p>onlinehmrevnue(dot)from-tx(dot)com\/webGBTxid\/checkValidation(dot)php<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1.jpg\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25483\" data-permalink=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/attachment\/mhrc-phish-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1.jpg\" data-orig-size=\"776,695\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Fake HMRC phish login\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1-300x269.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1-600x537.jpg\" class=\"aligncenter size-medium wp-image-25483\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1-300x269.jpg\" alt=\"Fake HMRC phish login\" width=\"300\" height=\"269\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1-300x269.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1-600x537.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/mhrc-phish-1.jpg 776w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p style=\"text-align: center\">Click to enlarge<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-2.jpg\" data-rel=\"lightbox-2\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25484\" data-permalink=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/attachment\/hmrc-phish-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-2.jpg\" data-orig-size=\"456,396\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Fake login\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-2-300x261.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-2.jpg\" class=\"aligncenter size-medium wp-image-25484\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-2-300x261.jpg\" alt=\"Fake login\" width=\"300\" height=\"261\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-2-300x261.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-2.jpg 456w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p style=\"text-align: center\">Click to enlarge<\/p>\n<p>Once the email details have been harvested, they&#8217;re then taken to a rather threadbare HMRC phish. There are no splash screens or fake logins or anything remotely resembling the process of having to sign into the so-called gateway portal. Instead, it&#8217;s just a page full of boxes to be filled with name, address, city, phone number, DOB, mother&#8217;s maiden name, and then full credit card information, just to round things off.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3.jpg\" data-rel=\"lightbox-3\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25485\" data-permalink=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/attachment\/hmrc-phish-3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3.jpg\" data-orig-size=\"1126,923\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"HMRC phish card harvesting\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3-300x246.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3-600x492.jpg\" class=\"aligncenter size-medium wp-image-25485\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3-300x246.jpg\" alt=\"HMRC phish card harvesting\" width=\"300\" height=\"246\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3-300x246.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3-600x492.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-3.jpg 1126w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p style=\"text-align: center\">Click to enlarge<\/p>\n<p>The site performs a basic validation check on some of the information entered. The reason for this is so the scammers can be reasonably confident that the person on the other side of the screen entered accurate information. They also gain some (slight) protection from doing this; you can&#8217;t enter some fake details to <a href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/09\/5-safe-ways-to-get-back-at-spammers-a-guide-to-wasting-time\/\" target=\"_blank\" rel=\"noopener\">waste the scammer&#8217;s time<\/a>, because when you hit the credit card number section, it&#8217;ll probably just prevent you from going any further.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4.jpg\" data-rel=\"lightbox-4\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25486\" data-permalink=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/attachment\/hmrc-phish-4\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4.jpg\" data-orig-size=\"943,147\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Validation check\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4-300x47.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4-600x94.jpg\" class=\"aligncenter size-medium wp-image-25486\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4-300x47.jpg\" alt=\"Validation check\" width=\"300\" height=\"47\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4-300x47.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4-600x94.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/hmrc-phish-4.jpg 943w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p style=\"text-align: center\">Click to enlarge<\/p>\n<p>You could probably still do it given enough time, but they&#8217;re likely banking on most people giving up and simply moving on instead. Make no mistake, a site such as the above is expressly geared toward nothing but the victim.<\/p>\n<p>While these scams tend to experience a boom period during <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/02\/tips-to-stay-secure-during-tax-season\/\" target=\"_blank\" rel=\"noopener\">tax season<\/a> (in this case, around April for the US and UK), there&#8217;s nothing preventing scammers from firing these out at other times of the year. In fact, it might be more of a benefit for them to do so. Recipients may be more likely to have their guard down due to the lack of &#8220;fake tax refund&#8221; articles making the rounds. Out of sight, out of mind and all that.<\/p>\n<p>If you receive a mail similar to the above and you&#8217;re not sure if it&#8217;s real or not, the HMRC website has a number of pages giving advice on these specific situations. The main one to check out would be their <a href=\"https:\/\/www.gov.uk\/government\/publications\/genuine-hmrc-contact-and-recognising-phishing-emails\/genuine-hmrc-contact-and-recognising-phishing-emails\" target=\"_blank\" rel=\"noopener\">phishes and frauds<\/a> page, where you can see the type of correspondence they send out, and when they do (or don&#8217;t) send refund notices, as well as the method of said notification. They also provide some examples of phishing emails with their name on it.<\/p>\n<p>One thing is for certain: You definitely won&#8217;t be sent from a HMRC refund email to an Outlook login. Don&#8217;t fall victim to a scam such as this, or you&#8217;ll have to chase down your bank and your email provider. If you have any logins tied to the compromised email account, you may have to play clean up for those, too.<\/p>\n<p>Never underestimate how much trouble a fairly crude, <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/06\/somethings-phishy-how-to-detect-phishing-attempts\/\" target=\"_blank\" rel=\"noopener\">simple phish<\/a> can cause\u2014it doesn&#8217;t take much to cause endless financial headaches and a large bundle of password resets.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/\">HMRC phish swipes email login, payment details<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Fri, 14 Sep 2018 16:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/' title='HMRC phish swipes email login, payment details'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/09\/shutterstock_264409757.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>It isn&#8217;t tax season for UK (or US) residents, but that hasn&#8217;t deterred scammers from sending out an HMRC phish double whammy with a tight deadline attached.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/social-engineering-cybercrime\/\" rel=\"category tag\">Social engineering<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/fraud\/\" rel=\"tag\">fraud<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/fraud-site\/\" rel=\"tag\">fraud site<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/hmrc\/\" rel=\"tag\">HMRC<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/hmrc-fraud\/\" rel=\"tag\">hmrc fraud<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/outlook\/\" rel=\"tag\">Outlook<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phish\/\" rel=\"tag\">phish<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scam\/\" rel=\"tag\">scam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/social-engineering\/\" rel=\"tag\">Social Engineering<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tax\/\" rel=\"tag\">tax<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tax-fraud\/\" rel=\"tag\">tax fraud<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tax-season\/\" rel=\"tag\">tax season<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/uk-fraud\/\" rel=\"tag\">UK fraud<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/' title='HMRC phish swipes email login, payment details'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/09\/hmrc-phish-swipes-email-login-payment-details\/\">HMRC phish swipes email login, payment details<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[4503,9751,19517,14790,19518,13255,10511,3924,3985,10510,6338,11438,11439,19519],"class_list":["post-13358","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cybercrime","tag-fraud","tag-fraud-site","tag-hmrc","tag-hmrc-fraud","tag-outlook","tag-phish","tag-phishing","tag-scam","tag-social-engineering","tag-tax","tag-tax-fraud","tag-tax-season","tag-uk-fraud"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13358"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13358\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13358"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}