Posted on Wednesday, 23rd September 2009 by Michael

The IRS has partnered up with China to help you get a tax bonus!

As some of you know my day job has me providing security guidance to a large user base that vary in their technical skills. Every day we get several requests that come in asking us weather something is a scam or phishing attempt and when time allows we do the research.

Today’s phishing question had to do with the following email:

From: Internal Revenue Service (IRS) [mailto: taxrefund@0x6c.3xdb24d6.irs.govThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ]
Sent: Tuesday, May 20, 2008 7:25 AM
Subject: Tax Notification

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0x7C.0xDB11D1/www.irs.gov/

Regards,
Internal Revenue Service

Document Reference: (0x7C.0xDB11D1).

I did some quick initial research and replied to the end user with the following information:

From: Internal Revenue Service (IRS) [mailto: taxrefund@0x6c.3xdb24d6.irs.govThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ]
Sent: Tuesday, May 20, 2008 7:25 AM
Subject: Tax Notification

Unfortunately we do not have the full headers here so I cannot confirm or deny the email address above. But I can tell you just looking at it does look real suspicious.

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

The IRS knows you and would address you by your full name. IE John Smith  not Dear Taxpayer

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

In the past whenever the IRS has owed a individual additional money / rebates they never required additional requests. IE the recent bonus rebates.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0x7C.0xDB11D1/www.irs.gov/

This web address is bogus. The IRS real site is http://www.irs.gov. If you Google the address you will find these links http://www.google.com/search?hl=en&q=0x7C.0xDB11D1 showing that this is indeed a scam.
According to this site the url no longer works though I do not suggest you click it. http://www.phishtank.com/phish_detail.php?phish_id=448690&frame=site. That link will allow you to see the site in a protective format if you hover over the links on the site you will see that many of them do not go to the IRS site.

It is my believe that the 0x7C.0xDB11D1 is another url encrypted with hexadecimal (a computer language) that basically uses some form of cross site scripting, site spoofing, or redirection to steal your information.

Regards,
Internal Revenue Service

Document Reference: (0x7C.0xDB11D1).

Though the response above works for our end users this interested me so I decided to research this further. I figured looking at the URL that the phishers have came up with a new way or was using an old way that stilled worked to obfuscate the URL.

(Before doing any of the below please make sure you are using a live boot cd or a machine that you do not care about. I am not responsible if you infect yourself.)

So first I wanted to decrypt the URL http://0x7C.0xDB11D1. So using a hexadecimal conversion sheet that I found at http://www.dewassoc.com/support/msdos/decimal_hexadecimal.htm
I was able to translate the obfuscated URL to the IP address 124.219.17.209. You could also decrypt this by using the ping –a command. It will resolve it to the IP address.

Second I used Wire shark to capture traffic to and from the site to see if it used any droppers or scripts for redirection or infection. I did not see anything out of the ordinary.

Third I used Firefox and the Live Http Headers plug-in to capture traffic to and from the site to see if there were any scripts or redirection taken place and I did not see anything.

Fourth I manually analyzed the source code of the http:// 0x7C.0xDB11D1/ and the redirected site codes and did not see anything in the code that was obfuscated or out of the norm. The hacked pages pulled a lot of the IRS images and style sheets to make it look like the real thing but the attacker did an extremely poor job of hiding the URL. The URL clearly is not that of the IRS.

Fifth I manually tried to change the URL instead of using http:// 0x7C.0xDB11D1/www.irs.gov I tried http:// 0x7C.0xDB11D1/www.digitaloffensive.com and I got a page cannot be found error. This makes me believe that on the site http:// 0x7C.0xDB11D1 (124.219.17.209) there is a subfolder called www.irs.gov that has a file in it that does the redirection to random sites. I say random sites because during my analyst of this issue two different redirected hacked URL’s showed up. I tried to mirror the site http:// 0x7C.0xDB11D1 with wget –rm http:// 0x7C.0xDB11D1 but most of the directories cannot be accessed. I even tried to mirror it by doing wget –rm http:// 0x7C.0xDB11D1/www.irs.gov/ and that was able to dl one of the other hacked sites but still not provide the redirection source.

In conclusion this is just another phishing scam where the attackers are relying on human stupidity to click on a link and supply their personal information to the attackers. Please head your IT / IS department warnings about Email scams as they are only trying to protect you from yourself.

Posted in Papers | Comments (0)

Leave a Reply

*