Whaling Scam from the US Tax Court
Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court.
Here is an elided sample that has been received by our Threat Operations Center:
|
UNITED STATES TAX COURT WASHINGTON, DC 20217 |
|
|
Docket No. 622-555. Filed May, 2008. COMMISSIONER OF INTERNAL REVENUE Petitioner. v. EXECUTIVE NAME HERE Respondent. PETITION The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008 Please download a Copy of the Order, Letter, Notice or Other Document Being Appealed This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006. As motions, without prejudice, and remand this case to respondent.s Office of Appeals. Respectfully submitted, Bennett H. Klein Tax Court Bar No KB0214 400 Second Street, N.W., |
|
The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th. Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately. It would not surprise me if the same people behind those scams are also originating from the same group of people.
*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour. Very low volumes in an attempt to fly under the radar as much as possible.
Posted by smasiello at 10:24 AM | Link | 19 comments
Comments
Re: Whaling Scam from the US Tax Court
Does the scam email from the US Tax Court do anything malicious?
Posted by Frank Slacik on May 12, 2008 at 1:15 PM
Re: Whaling Scam from the US Tax Court
Sorry, I should have included this in my original post. The link to the us-tax.org site appears to have been taken down as of this reply, but it appeared to be hosting malware associated with the Srizbi botnet.
Posted by Sam Masiello on May 12, 2008 at 3:12 PM
Re: Whaling Scam from the US Tax Court
Hi, unfortunately, I clicked on it thinking its a mail from US Tax dept. My IE did not allow php file to be downloaded (indicating it is not from a trusted site). Am I still in trouble?
Posted by B Khare on May 13, 2008 at 8:32 AM
Re: Whaling Scam from the US Tax Court
This can't be that hard to track down.
Who registered the us-tax.org domain? They should be in jail before the sun sets tonight.
Who registered the us-tax.org domain? They should be in jail before the sun sets tonight.
Posted by VoiceOfReason on May 13, 2008 at 8:33 AM
Re: Whaling Scam from the US Tax Court
Ok folks.... everyone just calm down. I'm the real victim here. If you go see who the domain is registered to, you'll see my name. Yes, someone also hacked my PayPal account to pay to host this site. Sorry for whatever it may have done to each of you, but the person who has stolen my identity is wrecking my life. You wouldn't believe the amount of hate mail that I'm receiving. Thanks to whomever posted this, so I could learn more about what "I'm" responsible for.
jr
jr
Posted by Jason Radcliff on May 13, 2008 at 1:16 PM
Re: Whaling Scam from the US Tax Court
LOL...I was actually going to email you Jason but figured you have probably received enough. Cleverly crafted delivery on the scam.
Posted by Kevin on May 13, 2008 at 1:41 PM
Re: Whaling Scam from the US Tax Court
Our company received one of these today targeted at our investor relations VP. Still linking to us-taxcourt.org, the site accepts connections but fails with a 400 error "Bad Request (Invalid Hostname)".
Posted by Paulj on May 14, 2008 at 9:10 AM
Re: Whaling Scam from the US Tax Court
I received one of these today. The giveaway that it was a "scam" was that it came to my work email address, which is not connected to my filings with the US Treasury whatsoever.
Posted by stek on May 14, 2008 at 5:17 PM
Re: Whaling Scam from the US Tax Court
Stek,
The other tipoff should be that the US Tax Court (like the other government agency scams that we have frequently written about) never communicate official matters over email. These agencies have no idea what your personal email address is, nor do they want to know. Any legitimate, official communication would be done through the postal service, and if it was important enough they would likely send it registered or certified so that you have to sign for it.
The other tipoff should be that the US Tax Court (like the other government agency scams that we have frequently written about) never communicate official matters over email. These agencies have no idea what your personal email address is, nor do they want to know. Any legitimate, official communication would be done through the postal service, and if it was important enough they would likely send it registered or certified so that you have to sign for it.
Posted by Sam Masiello on May 16, 2008 at 2:02 PM
Re: Whaling Scam from the US Tax Court
I received the spoof email this morning [subject line: "Notice of Deficiency case no. ............."] from a sender called United State Tax Court (State? not States?).
I did not open the email. I assume it's fake. The sender doesn't know that I am nine years old. My only income was about ten dollars from a lemonaid stand last summer.
I did not open the email. I assume it's fake. The sender doesn't know that I am nine years old. My only income was about ten dollars from a lemonaid stand last summer.
Posted by Robert Oyman on May 19, 2008 at 8:44 AM
Re: Whaling Scam from the US Tax Court
Just hit me today, and had a time of trying to find a link to confirm it is a scam. Finally, googling on the "commissioner" name gave a hit to your blog.
Several suspicious items flagget it right away to me:
1. The "From:" ID said "United State Tax Court", mising the second "s"
2. The "Reply to:" was a .org addy, NOT .gov
3. The link to click was to a .com URL ....
4. US Government departments (not just IRS) NEVER contact anyone by email on official business. It will be phone or registered letter.
Several suspicious items flagget it right away to me:
1. The "From:" ID said "United State Tax Court", mising the second "s"
2. The "Reply to:" was a .org addy, NOT .gov
3. The link to click was to a .com URL ....
4. US Government departments (not just IRS) NEVER contact anyone by email on official business. It will be phone or registered letter.
Posted by Will Nott on May 19, 2008 at 7:56 PM
Re: Whaling Scam from the US Tax Court
I received one of these emails and accidentally clicked on the link. It installed a certificate successfully, and I stopped it before it tried to install an ActiveX control.
Any advice for what I should be doing now? Destroy the laptop? De-install the certificate (i have no idea which one it was though)? Hope and pray?
I've done quite a bit of research online: there doesn't seem to be any information on what payload this installs or how to remove it.
Any advice for what I should be doing now? Destroy the laptop? De-install the certificate (i have no idea which one it was though)? Hope and pray?
I've done quite a bit of research online: there doesn't seem to be any information on what payload this installs or how to remove it.
Posted by Kevin Smith on May 20, 2008 at 9:12 AM
Re: Whaling Scam from the US Tax Court
In regards to the "us-tax.org" site being down, it appears to have been replaced by "ustaxcourt.org" which is coming up blocked on my companies spam/phishing filter.
Posted by jmacchia on May 20, 2008 at 11:31 AM
Re: Whaling Scam from the US Tax Court
I tried opening the link out of curiosity (I use a Mac) and it wouldn't let me because I didn't have IE 5.5 or higher. I admit, it was first thing in the am when I read it, so my judgement wasn't quite all there yet....I assume it didn't do anything to my computer.
Posted by shoff on May 21, 2008 at 6:25 AM
Re: Whaling Scam from the US Tax Court
Has anyone figured out how to de-activate this thing? I unfortunately opened it up.
Posted by Joe Wallace on May 21, 2008 at 6:46 AM
Re: Whaling Scam from the US Tax Court
I'm a sucker - got it on my blackberry at 7 am and went straight to my computer to see what the link was. Any info on the damage caused would be appreciated. DJ
Posted by David Jenkins on May 21, 2008 at 8:14 AM
Re: Whaling Scam from the US Tax Court
I got same scam but website is now ustax-courts.com
This is registered to someone in China.
lu zhixin
zhixin lu luzhixin@yahoo.com
0516-3114698 fax: 0516-3114698
peixianchengguangdajie236hao
peixian ngsu 221600
cn
DNS is: ns1.4everdns.com
Not sure we'll get China to stop this!
This is registered to someone in China.
lu zhixin
zhixin lu luzhixin@yahoo.com
0516-3114698 fax: 0516-3114698
peixianchengguangdajie236hao
peixian ngsu 221600
cn
DNS is: ns1.4everdns.com
Not sure we'll get China to stop this!
Posted by Dave on May 21, 2008 at 8:45 AM
Re: Whaling Scam from the US Tax Court
I just got one today from ustax-courts.com. Had my phone number in this and everything. It's an active site. Site is register in China. I didn't know the US outsourced our tax litigation overseas. :)
Posted by jj on May 22, 2008 at 11:41 AM
Re: Whaling Scam from the US Tax Court
Your account credentials will be captured and forwarded to a file sharing site 72.?
Posted by anonymous gmail on May 23, 2008 at 10:20 AM
