US tax site baits hook for phishers

By Matt Whipp

Posted on 30 Nov 2005 at 17:17

A configuration error on a US government website is allowing phishers to redirect visitors to bogus sites.

The phishing emails are therefore able to meet key tests for authenticity: firstly the phishers can use a URL belonging to that domain, and simply force a redirect by additional parameters to that link.

Therefore they don't need to obscure the real web address through clever HTML, and the emails arrive as text, and advise copy and pasting the link into a browser - a better way to ensure you are not duped than simply clicking a link.

The emails inform the recipient that they have a payment from the IRS of more than $500 and are asked to paste a benefits.gov link into a browser to organise the tax refund.

However, those that use the URL are bounced straight back out again on to the phishers' bogus site, designed to look like the real thing.

The fake site asks for sensitive information such as Social Security Number and extensive credit card details.

According to Sophos' senior technology consultant Graham Cluley, the phishing site itself (pictured) is now offline. More worrying, however, is that the configuration of the government website still allows redirects of this nature.

Cluley said the mails don't appear to be widespread as yet; nor do they appear to be targeting particular domains of email addresses - the first example was picked up by Sophos's Australian labs.

'The phishers didn't need to hack into or compromise the government website to do this, the website has simply had this vulnerability on it all along,' said Cluley. 'This is a warning to every business and agency that runs a website to be very careful that it cannot be abused to bounce web surfers elsewhere.'

The IRS had not responded to requests for comment at the time of writing.