Tax Phishing Campaign Reminds of DMARC Limitations

April is a time for tax-related phishing scams, and we haven’t been let down this year despite the dominance of COVID-19-themed phishing campaigns. DMARC should stop phishing, right? Not unless the targeted domain itself is spoofed.

Security firm Abnormal Security discovered a phishing email giving a single day for the recipient to respond and claim an outstanding tax rebate from HMRC (the UK tax authority) for ‘550.11 GBP’. The email contains an obfuscated link to a webpage masquerading as a Gov.uk page. That landing page requests full card and bank details in order to progress the refund.

The text of the email is not bad as phishing scams go — with just a few grammatical errors and inconsistencies. These could easily be missed by anyone excited by the chance of gaining more than £500 (approximately $625) and activated by the short lead time. Greed and urgency are two of the classic spurs used by scammers.

The landing page is even more convincing than the email; clear, well laid out and exactly what the victim might expect from a government department. If fooled, the victim will not receive a £550 refund, but would likely lose even more.

What is particularly interesting about this phishing attempt, however, is that HMRC is fully DMARC protected — that is, DMARC is implemented at the strongest enforcement level. The purpose of DMARC is to stop phishing — which it clearly has not done in this example. The reason is that DMARC blocks only phishing emails that pretend to come from the genuine domain. This comprises approximately two-thirds of all phishing attempts; leaving one-third unblocked by DMARC.

After implementing DMARC, HMRC Digital blogged in November 2016, “We have already managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC. It allows us and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers.” DMARC works where it is designed to work.

The hidden danger, however, is that the phishers will simply put more social engineering effort into masquerading as an associated domain that could be accepted as genuine. In this instance, the email claims to come from ‘Service-Center-Online-Office-Ref-No [email protected]’. The dot-be suffix is a give-away, since the victim should hardly expect a Belgian domain to be involved with UK tax refunds.

Nevertheless, the principle is clear– phishers do not need to spoof the exact domain name if they can use a different domain that might be accepted as reasonable. This may become an unavoidable effect of the increasing use of DMARC to block exact domain name spoofing: criminals will migrate to alternative (but acceptable) domain names that are untouched by DMARC controls.

Related: Threat From Spoofed Emails Grows, While DMARC Implementation Lags 

Related: Nearly 1 Million Domains Use DMARC, but Only 13% Prevent Email Spoofing 

Related: DMARC Use is Growing, But Difficult to Configure Correctly and Completely 

Related: Presidential Candidates’ Use of DMARC Improves, but Short of Optimum