14 DAY TRIAL // Security researchers from antivirus vendor Sophos, warn that cyber criminals are targeting Australian tax payers again. A new tax refund-themed spam campaign is luring users into opening HTML attachments that redirect to a phishing page.
The rogue emails come with a subject of “Australian Tax Refund Agency” and their “From” field has been forged to appear as if they originate from service at ato.gov.com.au. “We have determined that you are eligible to receive a tax refund of $210.75 AUD,” reads one of the spam messages.
The emails further instruct users to open the attachment file and complete the form in order to receive their tax refund. The most interesting aspect of this phishing scam is that there are no malicious links embedded in the message, or infected PDF files.
The mentioned attachment is a simple .html file, which redirects users to an external phishing page. “[...] The HTML attachment [...] contains only a simple meta refresh link. In this way, when the email is opened, the link in the message automatically (without any further user intervention) redirects the recipient to [a] bogus Australian Tax Office (ATO) website, from where it will attempt to harvest the victim’s credit card information,” the Sophos researchers warn.
The form claims that the tax refund will be made to users via VISA or Mastercard and asks them for their credit card details. The information collected via the form includes driver's license number, address, city, state/territory, postcode, phone number, as well as card type, card number, expiration date and CVV/CNV number.
Tax related email scams impersonating taxation agencies in various country are common occurrences, but the fact that cyber criminals continue to launch such campaigns, suggest that at least on some level they are successful. “Be it from the UK or the USA, it appears that tax time is a very lucrative opportunity for spammers and phishers. As usual, it is wise to be extra careful of unsolicited emails, especially those that appear to come from the government,” Sophos advises.
You can follow the editor on Twitter @lconstantin