The last few years have seen a frequent favourite on the UK spam radar, the HMRC Tax Refund Email. Perhaps we are all a bit sensitive about tax issues, but each time around the media seems to pick up on the emails and make a little bit of a stir about them. But what is the big deal from a spam perspective?
Typically, switched on recipients are going to know that it is spam, and a scam for all the usual reasons; HMRC unlikely to have email address; unlikely to email regarding a refund; has bad links to odd domains in body of message; perhaps not looking quite right; perhaps contains mis-spelled words or grammatical errors. So given that logic and entry level common sense should reveal such emails to be fake, why do spammers bother with them or at all?
Sadly a small percentage of people lack the skills to spot the queues given and question what is in front of them and it is these trusting people who tend to get taken for a ride. They are few and far between, but with the cost of mass emailing millions of people so low, sooner or later any spammer scammer is going to find enough victims to make it financially worth while.
Let’s do the post mortem on one of the latest HMRC refund scam emails and see how we can untangle it into the reality of what it is – spam and a scam. We will start from the top and then go sufficiently deep into the guts of the mail to really get a handle on the origin and how it has gotten to arrive with you.
First of all, who is likely to get one of these emails? The truth is anyone who currently gets a reasonable level of spam. Spammers buy, sell, swap, scrape and trawl the internet for lists of email addresses, so chances are you are already a spam target. Oddly enough, your ISP or email providers spam filtering may be so good that much of this rubbish never reaches you. The side effect to this is that when a spam message actually makes it through and in to your inbox, you may be more inclined to trust it!
Let’s take a look at typical HMRC Refund scam mail in a typical client. I’m using Evolution in Ubuntu here:
Initially it looks plausible enough – but before diving right in to claim your refund, think about the basic mechanics of it. At any point have you actually given HMRC your email address? We may live in a bit of a ‘big brother’ society but I don’t think it would be very likely that HMRC would use detective like skills to hunt out your email address and share this good news with you! Some cynics may even suggest that HMRC are more likely to LOSE your personal data, rather than find it. In a nutshell, for many people it fails the basic test; “I’ve never given them my email address.”
Moving on, and starting from the top you can see that my client gives me quite a few header lines. Not all clients do this, but I’ve set mine to show them – and in particular – to show the ‘mailer’ if it is available. Let’s take a quick look at them:
From: HM Revenue & Customs <firstname.lastname@example.org>
To: undisclosed-recipients : ;
Subject: Tax Refund Notification !
Date: 17/01/12 00:49:29
Mailer: Microsoft Windows Mail 6.0.6001.18000
The first line that is suspicious is the ‘TO’ line. The phrase ‘undisclosed-recipients’ is not something you’d ever really expect to see in a correctly set-up emailing system. It stinks of spam straight away.
Next I’m not really impressed with the subject. Why the exclamation mark? It almost says ‘You won’t believe this!” and quite rightly, you shouldn’t.
The next thing that sticks out is the mailer – a desktop email client. Why would someone like HMRC use a desktop email program to fire out a bulk message to ‘undisclosed recipients’? Ironically this is probably a forged header, and the use of a desktop client is probably a rather lame attempt to help evade spam filters.
As I’ve indicated, spelling and grammar mistakes often give things away, and this is a good example of ‘chinkorenglish’. Read this line and you should get the idea: “How to return itself have not changed, only the format of what you claim and how you get paid back from HMRC has changed digitally.” If I’m picky there are others, like the sudden mid sentence use of a capital letter in “Ensure”.
Now we move on to the old ‘link test’. When hovering over links in HTML emails, my email client shows the address of links in the bottom left hand status bar. The majority of the links are benign padding pointing correctly to resources at hmrc.gov.uk. Naturally the money shot link CLAIM MY REFUND points to somewhere completely different – in this case ‘paracamp dot com’.
By now this should have rung enough alarm bells to have you delete the mail and go back to whatever it was you were doing before you had dreamt of spending your imaginary tax refund.
Links & Landing Pages
I don’t recommend clicking on links like this ever – a rogue server can quickly launch a plethora of automated attacks against a web browser like Internet Explorer, Firefox, Opera, Safari, Chrome etc. and give an attacker access to your computer. I don’t want to scare anyone, but it is relatively fast and easy for an attacker to do this. On top of this links like this usually jump through holes and redirect all over the place before finally sending the victim to some malware infested server.
Now I want to know a little more about paracamp dot com, so I run a whois lookup on it and it comes back to:
park hee taek
192-8.201ho, Paryong-dong, Changwon-si
If we do a dig/nslookup to see where the website is hosted:
;; ANSWER SECTION:
paracamp dot com 400 IN A 126.96.36.199
inetnum: 188.8.131.52 – 184.108.40.206
descr: LG DACOM KIDC
descr: KIDC, 261-1 Nonhyun-dong, Kangnam-gu, Seoul
In this case KIDC in Korea ( 220.127.116.11 )
I tend to pay attention to who owns/is running the authorative name servers for a domain AND the time to live for the results:
;; AUTHORITY SECTION:
paracamp.com. 396 IN NS ns.webzero.kr.
paracamp.com. 396 IN NS ns2.webzero.kr.
What is noteworthy here is the relative short TTL of 396 (it’s actually 400 seconds). This is about six minutes whereas the norm is many hours. This makes it pretty much ‘fast flux’, that is, the name servers can quickly be changed if an anti-spam company starts blocking mail based on the authoritative name servers that resolve a link in an email. You typically see this method used with the actual servers hosting a landing page and it is done so that if a provider takes a site down, they can quickly redirect victims elsewhere.
This is all a bit out of sync with my normal process – I jump straight into the source code of the email, and the first RECEIVED FROM line (the rest are all forgeable so of limited value). My client makes it easy to view the source and headers of a message, others may make users fight dragons and jump through burning hoops. Here it is:
Received: from mailforward2.unl.edu (mailforward2.unl.edu [18.104.22.168]) …. Tue, 17 Jan 2012 09:02:33 +0000 (GMT)
That IP address and server belongs to (clue is in the .edu):
OrgName: University of Nebraska-Lincoln
Address: 14th and R
I doubt that any legitimate HMRC mail would come from a USA University mail relay, and it pretty much gives the game away immediately.
So there you have it. The anatomy of the average HMRC fake refund email. Next time you get one, see how many of the ‘I am spam’ keys you can find.