phishing

I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be  a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine  Gov.uk site complete with all branding & Postcode lookup.

I don’t have the original email, so I can’t get any sender’s details or what the email said. I do have an image of the PDF that was attached to the email. I am assuming it was pretending to come from HMRC in some way

The scammer has gone to extremes to make this as believable as possible. He has also made it slightly more difficult for a researcher to follow the trail or see exactly what happens. One of the ways this is done is to divert a known IP or one that has previously contacted the initial URL to the genuine Gov.uk site.

You can now submit suspicious sites, emails and files via our Submissions system

Screenshot of PDF attachment

Fake Council Tax refund phishing scam

fake Council Tax refund PDF attached to scam, phishing email

The link in the pdf goes to

http://payment34956273.from-ny.net/  which is a dynamic DNS service run by dyn dns services that just redirects you to the site the scammer has chosen.http://khalsacare.com/council/  which sets a cookie with a php session id & then redirects to ( this site was registered on 22 Feb 2019 via Godaddy as registrar and is also hosted on Godaddy network. )https://yourcouncil.city/   (This was registered on 19 April 2019 via Godaddy as registrar and is also hosted on Godaddy network)

I also ran the links through Anyrun which also shows that this scam phishing site is able to misuse a large part of the genuine Gov.uk site. Stealing the images, layout & display from gov.uk because there are no blocks on the gov.uk site stopping unauthorised and unapproved users from hot-linking to the information & displaying on any site anywhere.  The UK Government can go a long way in helping to stop scams like this if they prevent hotlinking of images and set site origins on script files so they can only be used on approved sites on the gov.uk domain

If you follow the link inside the pdf you see a web page  looking like this, asking you to start with your Postcode:

In this case I have inserted fake details for a resident of Number 10 Downing Street ( The Prime Minister’s residence)

Fake Council Tax refund site

Fake Council Tax refund site

 

Next, it looks up the post code & says which council it belongs to

Fake Council Tax refund site

Fake Council Tax refund site

Next it asks for name, address, phone number, date of birth, email address, mother’s maiden name

Fake Council Tax refund site

Fake Council Tax refund site

Next comes the financial details

Fake Council Tax refund site

Fake Council Tax refund site

Next you get a success page saying that you won’t be refunded until the due date and you will be diverted to the home page. You are then sent to the genuine gov.uk website.

This final page on the phishing website is the only page that doesn’t match up properly & instead of the name of your council, it gives XXX council.

Fake Council Tax refund site

Fake Council Tax refund site

 

We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

IOC:

http://payment34956273.from-ny.net/216.146.39.125http://khalsacare.com/council/23.229.192.128https://yourcouncil.city/107.180.0.131

Main object- “http://payment34956273.from-ny.net/”url http://payment34956273.from-ny.net/DNS requestsdomain payment34956273.from-ny.netdomain khalsacare.comdomain yourcouncil.cityConnectionsip 23.229.192.128ip 216.146.39.125ip 107.180.0.131ip 151.101.0.144ip 104.19.198.151ip 23.38.36.63HTTP/HTTPS requestsurl https://yourcouncil.city/favicon.icourl http://payment34956273.from-ny.net/url https://yourcouncil.city/assets/files/application-6e87c62fbe19a59fe65bc510f73ab27f1fbc6b55bab72f49.cssurl http://khalsacare.com/council/url https://yourcouncil.city/Main.php?sslchannel=true&sessionid=OHQbL0T7ak0kEEhN3idq8ncuEnktSdsmvhAETrBQGLIvPd01jXXlGPyIP6oDxv6q3gl4nFKtClem3n0VaodoZjNgpWnkk0GCtnbxaOTgFm8ykmepi9H2JB4ylogXJbt759url https://yourcouncil.city/assets/files/fonts-e9ec5a5f82e5c2a17927ce356e5a054cb28025ec1547ec5d00f5c9.cssurl https://yourcouncil.city/url https://yourcouncil.city/assets/files/surveys-9f5777413deb35cd977d60d92f6c16a5231dc778ac208e11822e4.jsurl https://yourcouncil.city/assets/files/print-12d845e29cec549d1fa00ff603b63f839ade12d95e40eae358dbf9.cssurl https://yourcouncil.city/assets/files/govuk-template-c0b8ba8b1652aacad298d74f24752260187f538b50c40.cssurl https://yourcouncil.city/assets/files/govuk-template-print-1076519521c2fffbbf75ab3b0d3b32ee2d96ac7.cssurl https://yourcouncil.city/assets/files/application-a749fbac9c8ccc932eaee50360cd6ecbbfe96d5424e946629.jsurl https://yourcouncil.city/assets/files/gov.pngurl https://yourcouncil.city/assets/files/static-3bdfb39c7c5f78476f337817f219143f4cfb1567549ebeb4dea0b.cssurl https://yourcouncil.city/Verify.php?sslchannel=true&sessionid=6LPjVzavRpuh5lvhqVgj6o63JYHuhIzWjUXrupd3IxexH669rUH7QhQFWW4twFI0NQkjM73uFCAxFRbxeeInWmv1L7UZchw0XaUc6u71us0lL367QQz0zxGWgJa2l9nb4Vurl https://yourcouncil.city/assets/files/jquery-1.jsurl https://yourcouncil.city/Postcode.php?sslchannel=true&sessionid=jFLUtf60BvawUwqXYd4Q8zenv0nr4flgrz6Qr8HVSrJSMpOo6n9pECZF1tpnDk7Fsl9Gy8ySjKDE9YkHFYDsdk1g2StU0YtgxJmGTWTF0lpxbHBbvahbSn9Z7hqzsBiAh0url https://yourcouncil.city/assets/files/analytics.jsurl https://yourcouncil.city/assets/files/govuk-template-ae4c5d21c0a7cb5bc8926a9f491de4e410244403f66c72.jsurl https://yourcouncil.city/assets/files/static-print-17255536627492caaf8fd08dbbf9cd1169bf0e32d73c202.cssurl https://yourcouncil.city/Finish.php?sslchannel=true&sessionid=oeZZOnMaW5zQl1cab5J1zXAN9U9he15zEVEeqOGIEM6mjQc7BIoQKOKWrA83LIRaSttlEuWpZZCO58cyKhuI9hwokMLkWC1rVcNqSNNYj5WJ7rthDmX9qrjdLHaAfbgo6ourl https://yourcouncil.city/Billing.php?sslchannel=true&sessionid=hSOTNd1JnXdjq1NDY1w70oA4rHc6cDrYZVd5Hpxhdx7zICsiS5RS3qSu94Ih7LFtku2Wwmz6isKk72cBgPbVnpKvmVCpjK5QzHzUnibz6IO6A6YX8Mpj1L27CErNF5w4Qrurl https://yourcouncil.city/assets/spin.gif

 

Read more https://myonlinesecurity.co.uk/fake-council-tax-refund-phishing-scam/

Add comment

By entering a comment, if it is of a commercial nature, you will be auto enrolled in our customer care course as detailed in our rate card.
By entering a comment you legally agree to the course and to pay. Thanks


Security code
Refresh