Taxation: Phishing fraud attacks UK taxpayers

The fraud claims that Her Majesty's Revenue and Customs is upgrading its computer systems, that a review of records has concluded that the target has overpaid tax and that in order to collect the refund a form, which is attached to the fraudulent mail, must be completed.

The fraud is the subject of a warning to Payment Card Issuers by The Anti Money Laundering Network, parent of the publisher of ChiefOfficers.Net.

The attached form, when opened in an internet browser, uses the technique of "in-line images" to link to websites such as PayPal and RBS Worldpay and to automatically copy images from those sites to the user's computer, giving apparent legitimacy to the form.

But the file includes javascript - self-executing code. This adds current date and time to the form.

The file also includes a table of links to the HMRC website - and those links work properly and so, again, give the impression that the form is genuine. Each of those links opens in a new tab or browser window, so ensuring that users retain open the original file.

The form itself is a simple collection form for name, address and full credit card details including the security code. In short, everything the thief needs to produce a fake card or to use the card for internet shopping.

It also contains a popup which it imports, using Javascript, from www.internetadcorp.com, as a sample of back of a credit card to demonstrate how to find the security number.

When the form is submitted, it goes to a directory at www.globalstylecricket.com.

The form bears a security scheme logo which it copies from the website of UK internet shopping website www.argos.co.uk.

The scam itself is extremely unsophisticated but, because it offers free money some people will be tempted to look at the file. The file itself carries no malicious payload.

However the file is a work of some sophisticated planning. By drawing files from so many different sources, and including a series of links that will be time-consuming to recode on a large website such as the HMRC, it will have a longer life expectancy than frauds that use simpler forms.

The fact that the form is attached, and therefore opened locally, means that there is less suspicious traffic to a hosting company and that only those forms which are completed are submitted.

The text of the e-mail is below. The form has not been replicated here.

========

Purportedly from: customers at hmrc.gov.uk

Subject: Reminder: Please Submit Your Refund Payment

Content:

Dear Applicant:Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show you have made over payments of 256.99 GBP

Due to the high volume of refunds due you must complete the on line application, the telephone help line is unable to assist with this application.

In order to process your refund you will need to complete the attached application form.

Your refund may take up to 3 weeks to process please make sure you complete the form correctly.As we are upgrading our records we require the completed form showing your full current details by 1 April 2010Please submit the form attached to confirm the refund.S. M.RobertsSenior ManagerHM Revenue & Customs--------------------------------------------------------------© Copyright 2010, HM Revenue & Customs UK All rights reserved.TAX REFUND ID: A29R119###########################