Fake Council Tax Refund Phishing Scam

Phishing Scam


I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine Gov.uk site complete with all branding & Postcode lookup.

I don’t have the original email, so I can’t get any sender’s details or what the email said. I do have an image of the PDF that was attached to the email. I am assuming it was pretending to come from HMRC in some way

The scammer has gone to extremes to make this as believable as possible. He has also made it slightly more difficult for a researcher to follow the trail or see exactly what happens. One of the ways this is done is to divert a known IP or one that has previously contacted the initial URL to the genuine Gov.uk site.

You can now submit suspicious sites, emails and files via our Submissions system
Screenshot of PDF attachment

fake Council Tax refund PDF attached to scam, phishing email

The link in the pdf goes to

http://payment34956273.from-ny.net/ which is a dynamic DNS service run by dyn dns services that just redirects you to the site the scammer has chosen.
http://khalsacare.com/council/ which sets a cookie with a php session id & then redirects to ( this site was registered on 22 Feb 2019 via Godaddy as registrar and is also hosted on Godaddy network. )
https://yourcouncil.city/ (This was registered on 19 April 2019 via Godaddy as registrar and is also hosted on Godaddy network)

I also ran the links through Anyrun which also shows that this scam phishing site is able to misuse a large part of the genuine Gov.uk site. Stealing the images, layout & display from gov.uk because there are no blocks on the gov.uk site stopping unauthorised and unapproved users from hot-linking to the information & displaying on any site anywhere. The UK Government can go a long way in helping to stop scams like this if they prevent hotlinking of images and set site origins on script files so they can only be used on approved sites on the gov.uk domain

If you follow the link inside the pdf you see a web page looking like this, asking you to start with your Postcode:

In this case I have inserted fake details for a resident of Number 10 Downing Street ( The Prime Minister’s residence)

Fake Council Tax refund site

Next, it looks up the post code & says which council it belongs to

Fake Council Tax refund site

Next it asks for name, address, phone number, date of birth, email address, mother’s maiden name

Fake Council Tax refund site

Next comes the financial details

Fake Council Tax refund site

Next you get a success page saying that you won’t be refunded until the due date and you will be diverted to the home page. You are then sent to the genuine gov.uk website.

This final page on the phishing website is the only page that doesn’t match up properly & instead of the name of your council, it gives XXX council.

Fake Council Tax refund site

We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details.

Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.



Main object- “http://payment34956273.from-ny.net/”
url http://payment34956273.from-ny.net/
DNS requests
domain payment34956273.from-ny.net
domain khalsacare.com
domain yourcouncil.city
HTTP/HTTPS requests
url https://yourcouncil.city/favicon.ico
url http://payment34956273.from-ny.net/
url https://yourcouncil.city/assets/files/application-6e87c62fbe19a59fe65bc510f73ab27f1fbc6b55bab72f49.css
url http://khalsacare.com/council/
url https://yourcouncil.city/Main.php?sslchannel=true&sessionid=OHQbL0T7ak0kEEhN3idq8ncuEnktSdsmvhAETrBQGLIvPd01jXXlGPyIP6oDxv6q3gl4nFKtClem3n0VaodoZjNgpWnkk0GCtnbxaOTgFm8ykmepi9H2JB4ylogXJbt759
url https://yourcouncil.city/assets/files/fonts-e9ec5a5f82e5c2a17927ce356e5a054cb28025ec1547ec5d00f5c9.css
url https://yourcouncil.city/
url https://yourcouncil.city/assets/files/surveys-9f5777413deb35cd977d60d92f6c16a5231dc778ac208e11822e4.js
url https://yourcouncil.city/assets/files/print-12d845e29cec549d1fa00ff603b63f839ade12d95e40eae358dbf9.css
url https://yourcouncil.city/assets/files/govuk-template-c0b8ba8b1652aacad298d74f24752260187f538b50c40.css
url https://yourcouncil.city/assets/files/govuk-template-print-1076519521c2fffbbf75ab3b0d3b32ee2d96ac7.css
url https://yourcouncil.city/assets/files/application-a749fbac9c8ccc932eaee50360cd6ecbbfe96d5424e946629.js
url https://yourcouncil.city/assets/files/gov.png
url https://yourcouncil.city/assets/files/static-3bdfb39c7c5f78476f337817f219143f4cfb1567549ebeb4dea0b.css
url https://yourcouncil.city/Verify.php?sslchannel=true&sessionid=6LPjVzavRpuh5lvhqVgj6o63JYHuhIzWjUXrupd3IxexH669rUH7QhQFWW4twFI0NQkjM73uFCAxFRbxeeInWmv1L7UZchw0XaUc6u71us0lL367QQz0zxGWgJa2l9nb4V
url https://yourcouncil.city/assets/files/jquery-1.js
url https://yourcouncil.city/Postcode.php?sslchannel=true&sessionid=jFLUtf60BvawUwqXYd4Q8zenv0nr4flgrz6Qr8HVSrJSMpOo6n9pECZF1tpnDk7Fsl9Gy8ySjKDE9YkHFYDsdk1g2StU0YtgxJmGTWTF0lpxbHBbvahbSn9Z7hqzsBiAh0
url https://yourcouncil.city/assets/files/analytics.js
url https://yourcouncil.city/assets/files/govuk-template-ae4c5d21c0a7cb5bc8926a9f491de4e410244403f66c72.js
url https://yourcouncil.city/assets/files/static-print-17255536627492caaf8fd08dbbf9cd1169bf0e32d73c202.css
url https://yourcouncil.city/Finish.php?sslchannel=true&sessionid=oeZZOnMaW5zQl1cab5J1zXAN9U9he15zEVEeqOGIEM6mjQc7BIoQKOKWrA83LIRaSttlEuWpZZCO58cyKhuI9hwokMLkWC1rVcNqSNNYj5WJ7rthDmX9qrjdLHaAfbgo6o
url https://yourcouncil.city/Billing.php?sslchannel=true&sessionid=hSOTNd1JnXdjq1NDY1w70oA4rHc6cDrYZVd5Hpxhdx7zICsiS5RS3qSu94Ih7LFtku2Wwmz6isKk72cBgPbVnpKvmVCpjK5QzHzUnibz6IO6A6YX8Mpj1L27CErNF5w4Qr
url https://yourcouncil.city/assets/spin.gif

Leave a Reply

Your email address will not be published.

Related Posts