I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine Gov.uk site complete with all branding & Postcode lookup.
I don’t have the original email, so I can’t get any sender’s details or what the email said. I do have an image of the PDF that was attached to the email. I am assuming it was pretending to come from HMRC in some way
The scammer has gone to extremes to make this as believable as possible. He has also made it slightly more difficult for a researcher to follow the trail or see exactly what happens. One of the ways this is done is to divert a known IP or one that has previously contacted the initial URL to the genuine Gov.uk site.
You can now submit suspicious sites, emails and files via our Submissions system
Screenshot of PDF attachment
The link in the pdf goes to
http://payment34956273.from-ny.net/ which is a dynamic DNS service run by dyn dns services that just redirects you to the site the scammer has chosen.
http://khalsacare.com/council/ which sets a cookie with a php session id & then redirects to ( this site was registered on 22 Feb 2019 via Godaddy as registrar and is also hosted on Godaddy network. )
https://yourcouncil.city/ (This was registered on 19 April 2019 via Godaddy as registrar and is also hosted on Godaddy network)
I also ran the links through Anyrun which also shows that this scam phishing site is able to misuse a large part of the genuine Gov.uk site. Stealing the images, layout & display from gov.uk because there are no blocks on the gov.uk site stopping unauthorised and unapproved users from hot-linking to the information & displaying on any site anywhere. The UK Government can go a long way in helping to stop scams like this if they prevent hotlinking of images and set site origins on script files so they can only be used on approved sites on the gov.uk domain
If you follow the link inside the pdf you see a web page looking like this, asking you to start with your Postcode:
In this case I have inserted fake details for a resident of Number 10 Downing Street ( The Prime Minister’s residence)
Next, it looks up the post code & says which council it belongs to
Next it asks for name, address, phone number, date of birth, email address, mother’s maiden name
Next comes the financial details
Next you get a success page saying that you won’t be refunded until the due date and you will be diverted to the home page. You are then sent to the genuine gov.uk website.
This final page on the phishing website is the only page that doesn’t match up properly & instead of the name of your council, it gives XXX council.
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
Main object- “http://payment34956273.from-ny.net/”