Hackers Target Canadian Tax Agency In Phishing Attack

Recipients are initially requested to log in to an embedded Web site in order to start the refund process. From there, the users are required to click on another URL that leads to a legitimate-looking online application. However, bank account numbers and other personally identifying information submitted by the victims are delivered instead to cybercriminals, who then use the acquired data for identity theft schemes, security experts said.

One of the biggest distinguishing features of the CRA phishing campaign is that it is surprisingly sophisticated, security experts said.

For one, the attacks only target Canadian-based residents and organizations -- either the government.ca sites or .com sites based in the country.

"Given that the information is targeted, (cybercriminals) have to be more lucrative," said Nilesh Bhandari, product manager for Cisco IronPort. "For a message like this, they can send a small number and they can make this to be a very profitable endeavor for themselves."

Bhandari also said that this scam relies upon a fast-flux botnet, making it challenging to pinpoint and shut down. And unlike other tax-fraud scams, this one appears convincing with grammatically correct English and no identifiable spelling or typographical errors.

"Usually when we see the IRS phishing scams, they don't have perfect English, there are some typos and some grammatical issues," he said. "This one was very well-organized and constructed. It looks exactly like the header or top font of the Canada Revenue Agency."

Within the first three days of its inception, the attack successfully infected hundreds of thousands of people, Bhandari said, in part due to the legitimate appearance coupled with the bleak economic conditions and the popularity of online tax returns. Meanwhile, many users are also likely doing taxes online for the first time, and might be unaware of the process, he said. Many tax agencies, such as the IRS, have policies that prohibit issuing tax return status to citizens via e-mail.

Down the road, Bhandari said that he expects to see more specialized, highly targeted tax or stimulus package attacks playing to fears of cash-strapped individuals as the economy worsens and budgets continue to shrink.

"More people are expecting a rebate. As part of that process, more people are expecting that rebate going directly to their deposit account," he said. "As a result, they may believe that a message like this may be something they truly need to respond to."