Email Attacks Use Fake VAT Returns to Deliver Malware

Domain-based Message Authentication, Reporting and Conformance (DMARC) is designed to stop phishing. One of the most phished domain names in the world is the UK tax office, HMRC (@HMRC.gov.uk). HMRC has implemented DMARC to counter this phishing, and in November 2016 it announced, “We have already managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC. It allows us and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers.”

But DMARC is clearly no silver bullet. On October 13, 2017, Trustwave’s SpiderLabs described a very recent, albeit short-lived, HMRC-based phishing campaign. “On 6th September, 2017, scammers launched a phishing attack using spoofed e-mail messages appearing to come from a HMRC support service domain and containing links to the infamous JRAT malware disguised as a VAT return document.”

On that same day, the scammers registered the HMRC-lookalike domain hmirc-gov.co.uk from the LCN registrar. The phishing messages sent to targets were sent from this domain. They were from ‘HMRC Business Help and Support Email’ with the subject ‘VAT Return Query’.

The content says, “Thank you for sending you VAT Return Online but there some queries about your submission. Kindly review the outlined errors in the attached document, correct and resubmit.” It contains just two easily missed typographical/grammatical errors.

In reality, there is no attachment to the email. “The illusion of the attachment that can be seen in the message body,” writes SpiderLabs, “is achieved using an embedded HTML image that is rigged with a URL pointing to the Microsoft OneDrive file sharing service.” Attempting to access the non-existent attachment points the user to the OneDrive service and automatically downloads a file labeled ‘VAT RETURN QUERY.ZIP’.

That file contains the JRAT bot. This version has an anti-anlysis mechanism and adds the process name to the ‘Image File Execution’ registry key so that scvhost.exe is executed instead.

DMARC can prevent phishing from genuine domains, but cannot prevent phishing from lookalike domains. When SecurityWeek checked the lookalike today, it found the LCN parked page. Technically, it is still registered to the scammers, but with no content. An LCN spokesperson told SecurityWeek that the registry had actually suspended the account after receiving an email on September 7 suggesting something ‘fishy’ about the domain name. This was just one day after the campaign had begun.

LCN was unable to provide any details on who had registered the domain because it had been registered with ‘privacy’ — although it is doubtful whether any details would be accurate. After speaking to SecurityWeek, the LCN spokesperson admitted that the domain should not be reachable, and within five minutes it had disappeared from the internet.

What this episode indicates is that DMARC alone is not sufficient to prevent phishing. It can stop phishing from any domain owned by the spoofed organization, but cannot prevent phishing from look-alike domains. Large and important brands, like HMRC, can try to prevent the availability of look-alikes by registering them themselves or by liaising with registries to prevent them being sold — but, as this incident shows, it is an almost impossible task.

The problem is so severe that Switzerland-based security firm High-Tech Bridge offers a free AI-based service called Trademark Abuse Radar, that will search for potentially dangerous domains. A search on ‘HMRC’ today returned a list of 7 HMRC-related domains that appear to be used for cyber-squatting and typosquatting purposes, and a further 24 domains “that seem to be used to conduct phishing attacks against tested domain name or brand.”

SecurityWeek asked HMRC to comment on this incident, but have not yet had a reply. If anything is received it will be added to this article.