About Me

Chris Barton

Chris Barton
Having been with "big red" since the Dr Solomons acquisition Chris has seen many come and go but is never content to be ...

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

$109.30 in 2 minutes … IRS refunds attack

Monday, September 24, 2007 at 9:16am by Chris Barton
Chris Barton

Phishers today are targeting the IRS with a large phish attack. So far it is spread over 25 domains. The phish offers victims $109.30 refund directly to their credit card for filling in an online form. How convenient ;)

Here is an XYZ-obscured list of domains currently in use.

10361irsfundXYZ.com
13031irsfundXYZ.com
1412irsfundXYZ.com
16268irsfundXYZ.com
17389irsfundXYZ.com
21817irsfundXYZ.com
34042irsfundXYZ.com
37903irsfundXYZ.com
39621irsfundXYZ.com
4331irsfundXYZ.com
49383irsfundXYZ.com
55005irsfundXYZ.com
59631irsfundXYZ.com
61819irsfundXYZ.com
66725irsfundXYZ.com
66731irsfundXYZ.com
7148irsfundXYZ.com
7685irsfundXYZ.com
77452irsfundXYZ.com
79463irsfundXYZ.com
84131irsfundXYZ.com
87655irsfundXYZ.com
91767irsfundXYZ.com
93181irsfundXYZ.com
93189irsfundXYZ.com

Example below:

IRS Phish

As is usual these days for this sort of attack the phishers are using a whois privacy service, in this instance register.com’s $9 registration masking service… Again. We’ve seen a number of similar attacks recently. I wonder why they bother paying extra for such things when they are trivially forged.

…There I go again, assuming THEY actually pay.

Oh while we’re on the subject F-Secure have a cute blog on using google to catch paypal phish. Note the “Results: 1-10″ … Ten. Guys, there are 259 other active phish on that server alone. Googlejuice is for wimps ;)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (3)

  • Chris Barton September 26, 2007 7:29AM

    @Michael Rowles: Thanks!
    @BelchSpeak: I wish… The data is published in SiteAdvisor, our free protection tool for browsers (and other non-free products obviously), this post is simply commentary on something interesting that is going on behind the scenes.
    As I’m sure you can appreciate we have an additional responsibility to protecting the general public by not publishing all the gory details in an instantly usable form in case they misunderstand it as an endorsement or something equally foolish. I’m sure anyone remotely technical could resolve XYZ given a little thought or data from one of the public lists within a few minutes and as such have pushed the publishing guidelines as far as the Marcus the ed. will let me.

    Reply
  • BelchSpeak September 24, 2007 1:26PM

    Know what else is for wimps? Masking the full name of malicious domains. Are you afraid the phishers might get mad and sue? Grow a set and publish useable blacklists or don’t bother making a list at all.

    Reply
  • Michael Rowles September 24, 2007 12:32PM

    Chris, great post! We try and educate our customers and visitors about these types of scams as well as help them educate their users. You info is very helpful.

    Michael Rowles
    CopiaTECH

    Reply