14 DAY TRIAL // The Canada Revenue Agency (CRA) makes the subject of a recent phishing campaign, the security researchers from IT security vendor Websense warn. This attack tries to capitalize on the upcoming deadline for submitting tax return applications online.
The Canada Revenue Agency is the Canadian version of the U.S. IRS, and is responsible with administering the taxation process on behalf of the Government of Canada. As many agencies that handle financial records in other countries, CRA has been the subject of phishing campaigns before. Older pages on its website advise users of e-mail scams impersonating the agency on several occasions.
The Websense researchers note that the well-crafted fake website is hosted in Germany, and it uses the same graphics and stylesheet of the original, in order to misguide the users. The website displays a modified tax refund form, which asks for extended personal identifiable information such as the real name, social insurance number, date of birth, address, postal code, phone number, and even the mother's maiden name. In addition, it requires credit card details, which include card type, number, expiration date and CVV2.
Upon submitting the form, a message that reads “You will receive a confirmation to your email once your request was processed,” is displayed, and the victims are redirected to the legit website of the Canada Revenue Agency in order to increase the scam's credibility. “This campaign is timed to coincide with the upcoming CRA deadline for online tax return applications,” the Websense analysts explain.
The agency has also updated one of its fraud alert pages, in order to reflect this latest attack. “Another common scam refers the person to a Web site resembling the CRA's Web site, where the person is asked to verify their identity by entering personal information,” the update reads. “Taxpayers should not respond to such fraudulent communications,” the agency warns, adding that “The CRA will continue to post notifications of fraudulent communications as we become aware of them, and encourages you to check our Web site should you have concerns.”
We reported in the past cases of other governmental agencies being used as a front for phishing scams. The Internal Revenue Service (IRS) has been the subject of a very similar attack in 2008, when fraudulent e-mails were directing users to a spoofed IRS website. The Internet Crime Complaint Center (IC3) has also recently issued an alert about multiple fake e-mails that claim to come from various FBI officials, being in circulation.