Posted on Wednesday, 23rd September 2009 by Michael

More IRS Shenanigans

Today our director of Internal Audit dropped on my desk a printed email that looked exactly the same as the scam email I wrote about a few weeks ago in the post called “The IRS has partnered up with China to help you get a tax bonus!”. I figured since I had a huge increase in traffic since I did the original story from people searching for what 0x7C.0xDB11D1 was that I would do a follow up to help others out that may be seeing this for the first time.

This time however the amount is no longer 184.80 they are now saying you are entitled to a whopping 284.80 cents an increase of $100.00 dollars.

The URL has changed slightly instead of http://0x7C.0xDB11D1/www.irs.gov/ it is now http://2081062820/www.irs.gov/. The new URL uuencoded is http://124.10.127.164/www.irs.gov/. At the time of this writing it looks like the URL has been removed and is no longer working to con innocent people out of their information. To see how I decoded the URL please read the original story posted here http://www.digitaloffensive.com/index.php?option=com_content&task=view&id=23&Itemid=2 .

The third change was the “Document Reference Number”. In both emails this number was just the obfuscated URL to make it look more official and lend assistance in making the phish fall for the bait easier. In the first mail the “Document Reference Number” was 0x7C.0xDB11D1 and in the second one it was 2081062820.

Once again only way for us to help protect our end users is through constant reminders and training.

Posted in Papers | Comments (0)

Leave a Reply

*