Computer
World Canada
Canadians
Duped by Tax Refund Scam
January
19, 2009 -- A new scam tries to extract personal information
under the guise of the Canada Revenue Agency. What the taxman
won't say in an e-mail.
A
new phishing
scam is circulating through Canadian inboxes,
just as 2008 tax packages are arriving in the mail.
The
e-mail suggests recipients are entitled to a tax refund from
the Canada
Revenue Agency . In order to receive the refund,
users must click on an embedded link that directs them to
a Web site posing as the CRA.
Visitors
are prompted to fill out an online form that requests tax-related
information, including Social Insurance Number, date of birth,
full name and the tax amount of their returns.
“When
you go to the site, the phishers have lifted all the graphics
and everything from the Canada Revenue Agency site, so it
all looks pretty much the same,” said Marc Fossi, manager
of development in the Security Technologies and Response Organization
at Symantec
Corp. Two big clues point out the site's illegitimacy,
according to Fossi.
“Pretty
much all Canadian government agencies have a link up in the
menu to the French version of that page, where it does say
'Francais,'" Fossi said. "They were obviously using
a different character set, so when they tried to get the ‘ç'
with the cedilla, they didn't have that character…instead,
you see possibly a Chinese character there,” he said.
The
second clue is the URL. “It's not cra-arc.gc.ca. It's actually
a Web site located in Taiwan,” said Fossi.
The
phishing attempt has an average level of sophistication, said
Fossi.
“In
this case, there's nothing that jumps out at you like misspelled
words or anything like that,” Fossi said.
But
the threat to Canadians is high. “With this information attackers
can very easily steal the victim's tax refund and then sell
all their personal information,” said Fossi.
Symantec
became aware of the threat late last week.
The
phishing site is currently live and there's no indication
of when it will shut down. “It's kind of difficult to do a
whole lot with it…in this case, it's multi-jurisdictional.
It's targeting users in Canada, the e-mail message was sent
from a mail server in Russia and the actual phishing Web site
is hosted in Taiwan,” said Fossi.
Canada
Revenue Agency is aware of the threat. The CRA becomes aware
of such scams almost instantaneously because taxpayers start
calling the inquiry lines to determine whether the e-mail
or mail letters are legitimate, explained Peter Delis, communications
manager in the Canada Revenue Agency's Ontario region.
A
couple months ago, the CRA added a “ Fraudulent
Emails and Letters ” section on its homepage in
response to the recent increase in tax-related scams. “We're
seeing it more often now, regardless of whether it's tax season
or not. We used to see it at various times of the year, now
it's popping up every month or so,” said Delis.
According
to Fossi, posing as the CRA is a new twist. “I haven't had
one like this drawn to my attention before,” said Fossi. “I've
seen similar concepts mostly targeting Americans, like phishing
attempts that claim they're coming from the IRS. But I haven't
seen one that was CRA.”
The
“Fraudulent Emails and Letters” section is continuously updated,
but individuals questioning the validity of an e-mail or letter
from the CRA should call to confirm the communication, Delis
suggested.
But
the request for personal information is the first indication
of fraudulence. “We do not request by e-mail personal information
of any kind from taxpayers,” said Delis. “That's our first
clue when it comes to e-mails.”
The
lock symbol is another key to determining whether a Web site
requesting personal information is a sham, Fossi pointed out.
“Generally when you get any legitimate Web site that's asking
you to fill out that information, you get the lock symbol
on your browser saying it's a secure page. In this case, it's
not,” he said.
But
a secure site doesn't necessitate validity, as attackers are
sophisticated enough to set up secure phishing sites, warned
Fossi. “Some people, they just look for that lock…if their
particular browser tells them it's a secure site, they might
just go, ‘Oh, it's secure, so it's safe.'
“We
did a whole report on the underground economy back in November
and we see phishing kits being sold online. They're sort of
ready-made kits that include everything you need to launch
a phishing attack,” said Fossi.
|
