A new phishing scam is circulating through Canadian inboxes, just as 2008 tax packages are arriving in the mail.
The e-mail suggests recipients are entitled to a tax refund from the Canada Revenue Agency. In order to receive the refund, users must click on an embedded link that directs them to a Web site posing as the CRA. Visitors are prompted to fill out an online form that requests tax-related information, including Social Insurance Number, date of birth, full name and the tax amount of their returns.
“When you go to the site, the phishers have lifted all the graphics and everything from the Canada Revenue Agency site, so it all looks pretty much the same,” said Marc Fossi, manager of development in the Security Technologies and Response Organization at Symantec Corp. Two big clues point out the site’s illegitimacy, according to Fossi.
“Pretty much all Canadian government agencies have a link up in the menu to the French version of that page, where it does say ‘Francais,'” Fossi said. “They were obviously using a different character set, so when they tried to get the ‘ç’ with the cedilla, they didn’t have that character…instead, you see possibly a Chinese character there,” he said.
The second clue is the URL. “It’s not cra-arc.gc.ca. It’s actually a Web site located in Taiwan,” said Fossi.
The phishing attempt has an average level of sophistication, said Fossi.
“In this case, there’s nothing that jumps out at you like misspelled words or anything like that,” Fossi said.
But the threat to Canadians is high. “With this information attackers can very easily steal the victim’s tax refund and then sell all their personal information,” said Fossi.
Symantec became aware of the threat late last week.
The phishing site is currently live and there’s no indication of when it will shut down. “It’s kind of difficult to do a whole lot with it…in this case, it’s multi-jurisdictional. It’s targeting users in Canada, the e-mail message was sent from a mail server in Russia and the actual phishing Web site is hosted in Taiwan,” said Fossi.
Canada Revenue Agency is aware of the threat. The CRA becomes aware of such scams almost instantaneously because taxpayers start calling the inquiry lines to determine whether the e-mail or mail letters are legitimate, explained Peter Delis, communications manager in the Canada Revenue Agency’s Ontario region.
A couple months ago, the CRA added a “Fraudulent Emails and Letters” section on its homepage in response to the recent increase in tax-related scams. “We’re seeing it more often now, regardless of whether it’s tax season or not. We used to see it at various times of the year, now it’s popping up every month or so,” said Delis.
According to Fossi, posing as the CRA is a new twist. “I haven’t had one like this drawn to my attention before,” said Fossi. “I’ve seen similar concepts mostly targeting Americans, like phishing attempts that claim they’re coming from the IRS. But I haven’t seen one that was CRA.”
The “Fraudulent Emails and Letters” section is continuously updated, but individuals questioning the validity of an e-mail or letter from the CRA should call to confirm the communication, Delis suggested.
But the request for personal information is the first indication of fraudulence. “We do not request by e-mail personal information of any kind from taxpayers,” said Delis. “That’s our first clue when it comes to e-mails.”
The lock symbol is another key to determining whether a Web site requesting personal information is a sham, Fossi pointed out. “Generally when you get any legitimate Web site that’s asking you to fill out that information, you get the lock symbol on your browser saying it’s a secure page. In this case, it’s not,” he said.
But a secure site doesn’t necessitate validity, as attackers are sophisticated enough to set up secure phishing sites, warned Fossi. “Some people, they just look for that lock…if their particular browser tells them it’s a secure site, they might just go, ‘Oh, it’s secure, so it’s safe.’
“We did a whole report on the underground economy back in November and we see phishing kits being sold online. They’re sort of ready-made kits that include everything you need to launch a phishing attack,” said Fossi.