Tuesday, 30 December 2014

HM Revenue & Customs - Kathy Donnelly - HMRC Tax Credit Office phishing

Here's a HMRC phishing email with a zip attachment....

Headers:
From: "HM Revenue & Customs"{online-service@HMRC.gov.uk}
Subject: Tax Refund Message!

Message:
Dear Applicant,

The contents of this email and any attachments are confidential and as
applicable, copyright in these is reserved to HM Revenue & Customs.
Unless expressly authorised by us, any further dissemination or
distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to
inform us that you have received this email in error and then delete it
without retaining any copy.

I am sending this email to announce: After the last annual calculation of
your fiscal activity we have determined that you are eligible to receive a
tax refund of 244.79 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209,
complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT
button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at HM Revenue & Customs: http://www.hmrc.gov.uk

Sincerely,

 Kathy Donnelly,
 HMRC Tax Credit Office
 Preston
 TAX REFUND ID: UK681716209-HMRC

© Copyright 2014, HM Revenue & Customs UK All rights reserved.

The attachment is a zip file:
HM Revenue & Customs - HS380 Form.zip

Inside the zip file is a standard html file:
HM Revenue & Customs - HS380 Form.html

 If you access the html file with a browser you get a fake HMRC form, asking for all your
payment credit/debit card details:




The data from this form is then posted to a fake form address:

div class="portlet-body">
name="processForm" method="POST" onsubmit="return submitIt(this)">
Cheers,

Steve
Sanesecurity.com

No comments: