Spoofed HM Revenue & Customs Secure Communication delivers Dridex — 5 Comments

  1. Thanks for the warning! I just got an exact copy of this, even down to the fake HMRC document no. Neither of my 2 antivirus packages were able to detect it. I was waiting for a phone call from HMRC at the time and nearly got taken in: but became suspicious when Open Office warned me that it contained macros.

  2. Yes had one y’day. The date was ok but the time way out. Viewed the headers and was suspicious. So went to forward it to Spamcop. Then System Mechanic kicked in and declared the infection was blocked and could not forward the email. Googled ‘’ and found this site. Thanks very much.

  3. This is another indication of how the Internet Service and Security providers are failing the general public.

    This email appears to have been sent by a computer pretending to be from the domain (U.K. government domain addresses are from the TLD It was registered by a fictitious name HMRC Secure Communications who used enom (a part of Rightside) to register and keep their address hidden. The domain was registered on 19th December 2016.

    They appear to have immediately mail bombed the internet using open SMTP servers which did not check back using SPF or DKIM checking services.

    The domain was probably registered using a credit card that had been stolen so the original perpetrator is likely never to get caught.

    If everyone configured their mail servers to only allow authorised connections to their SMTP servers, and relaying only from services that had bona-fide MX handlers, much of this garbage could be prevented.

    Then at the SMTP server end ensure your hosting provider uses and anti-spam service such as Spamassasin or Boxtrapper, and ensure they fully implement SPF and DKIM, we might se much less of this opportunistic mail attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *