Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Email Attacks Use Fake VAT Returns to Deliver Malware

Domain-based Message Authentication, Reporting and Conformance (DMARC) is designed to stop phishing. One of the most phished domain names in the world is the UK tax office, HMRC (@HMRC.gov.uk). HMRC has implemented DMARC to counter this phishing, and in November 2016 it announced, “We have already managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is designed to stop phishing. One of the most phished domain names in the world is the UK tax office, HMRC (@HMRC.gov.uk). HMRC has implemented DMARC to counter this phishing, and in November 2016 it announced, “We have already managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC. It allows us and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers.”

But DMARC is clearly no silver bullet. On October 13, 2017, Trustwave’s SpiderLabs described a very recent, albeit short-lived, HMRC-based phishing campaign. “On 6th September, 2017, scammers launched a phishing attack using spoofed e-mail messages appearing to come from a HMRC support service domain and containing links to the infamous JRAT malware disguised as a VAT return document.”

On that same day, the scammers registered the HMRC-lookalike domain hmirc-gov.co.uk from the LCN registrar. The phishing messages sent to targets were sent from this domain. They were from ‘HMRC Business Help and Support Email’ with the subject ‘VAT Return Query’.

The content says, “Thank you for sending you VAT Return Online but there some queries about your submission. Kindly review the outlined errors in the attached document, correct and resubmit.” It contains just two easily missed typographical/grammatical errors.

In reality, there is no attachment to the email. “The illusion of the attachment that can be seen in the message body,” writes SpiderLabs, “is achieved using an embedded HTML image that is rigged with a URL pointing to the Microsoft OneDrive file sharing service.” Attempting to access the non-existent attachment points the user to the OneDrive service and automatically downloads a file labeled ‘VAT RETURN QUERY.ZIP’.

That file contains the JRAT bot. This version has an anti-anlysis mechanism and adds the process name to the ‘Image File Execution’ registry key so that scvhost.exe is executed instead.

DMARC can prevent phishing from genuine domains, but cannot prevent phishing from lookalike domains. When SecurityWeek checked the lookalike today, it found the LCN parked page. Technically, it is still registered to the scammers, but with no content. An LCN spokesperson told SecurityWeek that the registry had actually suspended the account after receiving an email on September 7 suggesting something ‘fishy’ about the domain name. This was just one day after the campaign had begun.

LCN was unable to provide any details on who had registered the domain because it had been registered with ‘privacy’ — although it is doubtful whether any details would be accurate. After speaking to SecurityWeek, the LCN spokesperson admitted that the domain should not be reachable, and within five minutes it had disappeared from the internet.

Advertisement. Scroll to continue reading.

What this episode indicates is that DMARC alone is not sufficient to prevent phishing. It can stop phishing from any domain owned by the spoofed organization, but cannot prevent phishing from look-alike domains. Large and important brands, like HMRC, can try to prevent the availability of look-alikes by registering them themselves or by liaising with registries to prevent them being sold — but, as this incident shows, it is an almost impossible task.

The problem is so severe that Switzerland-based security firm High-Tech Bridge offers a free AI-based service called Trademark Abuse Radar, that will search for potentially dangerous domains. A search on ‘HMRC’ today returned a list of 7 HMRC-related domains that appear to be used for cyber-squatting and typosquatting purposes, and a further 24 domains “that seem to be used to conduct phishing attacks against tested domain name or brand.”

SecurityWeek asked HMRC to comment on this incident, but have not yet had a reply. If anything is received it will be added to this article.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...