fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

HMRC Smishing Tax Scam Targets UK Banking Customers

HMRC Smishing Tax Scam Targets UK Banking Customers

An advanced HM Revenue and Customs (HMRC) tax rebate scam is targeting UK residents this week via text messages (SMS).

The smishing campaign is concerning as it employs multiple HMRC phishing domains and tactics, with new domains added every day as older ones get flagged by spam filters.

Not only do the phishing pages mimic HMRC’s web interface meticulously, but they also have entire online banking workflows built into them, depending on who your banking provider is. 

Starts with a ‘text rebate’ SMS

As observed by BleepingComputer, the smishing scam starts with a text message informing the recipient that they are eligible for a tax rebate as they had paid “emergency tax” this year.

Smishing text message scam informs users they are eligible for a refund
Smishing text message scam informs users they are eligible for a refund
Source: BleepingComputer

You would think a user would know better not to click on a .com domain for accessing government services. However, some UK government services are offered via “.com” domains to the public.

One such example is householdresponse.com, which mimics the GOV.UK color scheme and UI so well it once had me fooled if it was a phishing domain.

Also Read: Personal Data Websites: 3 Things That You Must Be Informed

Yet householdresponse.com is an entirely legitimate website used by the UK government to collect updates on household voter information from residents.

BleepingComputer has also come across variations of this smishing campaign employing scaremongering tactics, such as texting the user with:”HMRC records show that you are owed a tax repayment of £XXX.XX Failure to submit the return could lead to a fine. Please continue via hmrc.help-rebate.com …” 

Targets online banking customers, based on the sort code

On clicking the link in the message, the user is taken to what looks like a GOV.UK site.

But this isn’t your basic one-page phishing form. The extensive workflow employed by this campaign spans multiple steps and pages.

It starts with a simple Tax Refund claim form asking for the user’s name and postcode.

hmrc smishing scam gov uk
Phishing page as observed on an Android device
Source: BleepingComputer

On the next step, the form shows a randomly picked refund amount value between £200 and £400 that the taxpayer is eligible to claim.

random refund amounts
Random refund amounts between £200 and £400 shown the user

On clicking “Start,” the subsequent pages collect a considerable amount of information from the unsuspecting user.

The details collected by this campaign include but are not limited to the following, depending on which phishing domain you are on. 

  • full name
  • date of birth
  • home address
  • phone number
  • email address and passwords
  • credit card information
  • bank account information: sort code and account number
  • online banking credentials
  • National Insurance Number (NINo)
  • Passport number
  • Driving licence number
  • memorable words and/or answers to security questions, such as mother’s maiden name
  • 2-factor codes generated by online banking hardware devices (security tokens and card readers) 

The phishing pages also have validations built into them, so entering invalid values for certain fields would throw errors. This error validation may further trick a user into believing the webpage is legitimate.

The fun begins after some of this information has been submitted by the user.

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

A “processing” interstitial page is shown validating some of the fields gathered thus far.

redirecting to banking
User is redirected to either an online banking phishing page or GOV.UK site 

In tests by BleepingComputer, the workflow exited at this step, and the user was redirected to the real HMRC website.

However, in other tests where a real bank branch sort code was entered, and the test data provided would seem ‘real’ enough to a machine, we observed the redirection would lead to the online banking phishing pages hosted on the same phishing domain.

hmrc scam smishing halifax
User  redirected to Halifax online banking phishing pages if entering a Halifax sort code

BleepingComputer tested the phishing pages with real Halifax and NatWest bank branch sort codes, which confirmed our suspicions.

These online banking lookalikes further collect user’s banking credentials, memorable words, 2-factor codes, etc.

natwest hmrc smishing scam
NatWest bank phishing page collecting online banking credentials
Source: BleepingComputer​

BleepingComputer discovered, the campaign has entire sets of phishing sites mirrored from real websites of prominent UK high street banks to target their customers.

The list includes Barclays, Clydesdale, Halifax, NatWest, HSBC UK, Metro Bank, Nationwide, Citi, Lloyd’s, TSB, Co-op, Royal Bank of Scotland (RBS), Santander, Tesco Bank, and Yorkshire Bank.

banking sites mirrored by phishing campaign hmrc
The campaign has entire sets of banking sites mirrored from real ones
Source: BleepingComputer

Despite the thoroughness of the threat actors behind this campaign, they didn’t do a splendid job of securing the collected data—hardly their concern, which makes this campaign even more dangerous.  

One phishing domain used by the campaign was observed leaking visitor logs with over 4,500 records. The domain leaking these logs is no longer accessible

On analyzing the logs, BleepingComputer discovered, well over 1,000 unique IPs had accessed this phishing campaign.

leaky IPs hmrc smishing
Visitor logs leaking on the phishing server
Source: BleepingComputer

Multiple phishing domains, newer ones added daily

At the time of writing, BleepingComputer has observed the following domains associated with this campaign, some of which are still active:

hmrc-online-verify.com
hmrc.help-rebate.com
hmrcsupport.com
rebate-service-hmrc.com
taxclaim-govuk.com

Spam blocklist maintainers are constantly catching up and adding these malicious domains to their databases.

It is also interesting to note that these domains were registered quite recently.

For example, hmrc-online-verify.com has a November 4th, 2020 registration date, with the other domains having been registered on subsequent days.

hmrc smishing scam domains
WHOIS record for one of the domains employed by the scam campaign

The extensive nature of this campaign and thoroughly built online banking workflows indicate this is a well-planned smishing project designed by skilled threat actors. 

If you have received similar suspicious messages, phone calls, or emails that claim to come from HMRC, you are encouraged to report these to HMRC.

Additionally, you may also report instances of such scams to BleepingComputer using our online form

Update November 9, 2020: Added taxclaim-govuk.com domain to list.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us