Get your taxes ready

Hey, it’s tax season again! My favorite. Right up there with DMV visits season and Jury Duty season, amirite? Of course I’m being sarcastic.

Tax season is one of the most complained about things that I hear around this time of year, from most people anyways. That being said, it’s also prime phishing time for preying on people’s fear of being audited and owing money. Even though Cisco Umbrella will protect you from most phishing attacks, it doesn’t hurt to be aware of such forthcomings. Every little bit helps when it comes to keeping your sensitive personal information safe.

Below are some details about a couple ongoing phishing campaigns. These campaigns are targeting people who files taxes and are a bit click-happy.

Landing Page

Open your inbox, click on that IRS-looking related link. You might land here:

Example of IRS phishing page

Look familiar?

You might have filed taxes a dozen times, and think you can’t be fooled, but the figure above is a spoof. Did you notice? In fact, the figure above is just one of the typical phishing pages, out of hundreds, we block at OpenDNS.

Information acquired from landing pages, like the one above, can not only compromise just one account and one credit card but can lead to a full exposure of every single important account you may have a password on: financial, social media, etc.. This can be proved by looking into the phishing kit used in a recent campaign.

Phishing kit

During our investigation we were able to obtain the copy of the kit. It is PHP-based, fully automated phishing software that lets malicious authors generate phishing pages based on the visiting user. The kit is easy to customize, but it comes with a number of phishing pages ready to be used:

Phishing kit files

The kit is designed to work via automated injections in the compromised domains. It utilizes the following techniques to block unwanted access and keep persistence:

  • PHP scripts that dynamically check if the remote IP address is allowed to access the phishing pages
  • Options for targeting a specific IP range
  • Blacklisting anti-phishing products and specific user-agents.
  • Encrypting stolen data with AES 256

The kits seem to be modified, but has credentials of the original author:

Creator of the kit

A quick Google search for these found credentials reveals that these actors are not new to the phishing business. Campaigns carried out with the help of their products dates back to September of 2015.

Most recent activity without surprise is a post on AlphaBay forum looking for spam vendor to drive traffic to the phishing pages.

Recent forum activity

Currently, this kit is designed to harvest credentials from bank users and people filing taxes, and we can see that more and more options become available even for unskilled criminals.


Here are some tips that will hopefully keep your information safe and sound during tax season.

1) Be wary of giving out info to an incoming caller, regardless of who they say they are. These voice phishing attacks (or “Vishing”, as they are sometimes called) tend to be an automated recording asking you to call a number and pay a fine “OR ELSE.” Even though most of them are recorded voices, don’t be surprised if you get an actual human pressuring you into handing over your social security number. In either case, looking up the number for your local IRS office and calling that number instead to settle your debt (or lack thereof) is a great way to assure that you’re not speaking to a phisher trying to outsmart you. It’s a process that only takes a few minutes, but could save you a lot of headaches.

Example of IRS Phish in PhishTank – Full page can be viewed here.

2) If you receive a link via email, always double-check the url before divulging any information. Webpage based phishes can generally be split up into two categories; Dedicated phishes and Compromised phishes. Dedicated phishes are when a URL looks slightly similar to the company it’s trying to pose as (so something like “” or “”). Compromised phishes are exactly what they sound like. It’s a site, not initially intended for phishing purposes, that’s been hacked and used to host a phishing page, generally without the knowledge of the site owner themselves. In any case, a quick observation of the URL that you’re visiting could end up saving you lots of time and money. If the URL looks suspicious or completely different from the company they’re claiming to represent, then CLOSE THE PAGE! Don’t enter any information. Figure out other means of contacting them.

3) Be weary of typo’s in emails asking your for your personal information. This interesting fact seems to be fairly consistent with phishing emails. Poor grammar. I’ve been told in the past that it’s mostly done purposefully, seeing as the people who wouldn’t notice a typo would also be more likely to bite the phish bait and hand over whatever personal information is asked for – DON’T BE THAT PERSON! Most professional financial institutions wouldn’t send you an email with a typo in it. I mean, they shouldn’t. You would think that if they wanted to be taken seriously, they wouldn’t be haphazard with their grammar, but I digress. If anything strange about the wording in an email jumps out at you, it’s probably a good idea to take a closer look.

Cisco Umbrella utilizes community moderated source Phishtank and power of OpenDNS Natural Language Processing(NLP) rank classifier to protect our users. We sincerely hope that this information saves you from getting phished. Your alertness and awareness of phishing attacks is just about the best tool you can have against these attackers, and utilizing these tips alone could save you from adding more funds to the phishers’ wallets.

This post is categorized in: