Phishers use IRS tax refund as bait

Insufficient programming on a government Web site is helping cybercriminals pose as the Internal Revenue Service in a scam to collect sensitive data, some security experts warn.

A spam e-mail message has been sent around the world telling people they are eligible for a $571.94 tax refund from the IRS. The e-mail offers a link to a fraudulent IRS Web site, but the link actually goes through a legitimate government Web site that only last month was promoted by President Bush.

"This is more advanced than the typical phish, because the Web link really does--at first--take you to the real tax benefit Web site," said Graham Cluley, senior technology consultant for U.K. security vendor Sophos. "Unfortunately the way the government Web site has been configured allows the phishers to bounce the unwary in their direction."

The link in the phishing e-mail goes to a forged IRS Web site that asks for a Social Security number, tax return filing code and credit card details including security code and PIN.

The scam takes advantage of a so-called open redirect on the GovBenefits.gov Web site. This open redirect lets anyone craft a link that to the untrained eye looks like it goes to the government site, but actually goes elsewhere on the Web. The following link, for example, goes to CNET News.com: http://www.govbenefits.gov/govbenefits/externalLink.jhtml?url=http://www.news.com.

The government is aware of the issue and is working to fix it, a representative of the Department of Labor said Wednesday. The department manages the GovBenefits.gov Web site. The site is a collaborative effort of 16 federal agencies to increase access to government information and is part of the president's e-government initiative.

Open redirects are no rarity on the Web, said Russ Cooper, senior scientist at Cybertrust, a security vendor in Herndon, Va. "They are unfortunately too common," he said. Phishers have taken advantage of such "stupid redirect links" on the sites of Yahoo and Microsoft's MSN before, according to Cooper.

"It comes about because people don't think about security during the design of their Web site. They were thinking about features," Cooper said. The redirect links are typically used as a business intelligence tool, so Web site owners know which external links their visitors click on.

While many Web sites have the programming error, it becomes more of a security issue and attractive to phishers when a site belongs to a trusted organization such as a bank or the government, Cluley said.

"With GovBenefits.gov there is a great opportunity for criminals by posing as the IRS to get a great deal of information, including your credit card details and Social Security number," Cluley said.

To prevent phishing attacks, Web site administrators should lock down their redirects, Cooper said. For example, administrators could limit linking to external sites only when a user actually clicks on the link while on the main site. This would stop links in e-mail or instant messages from working, Cooper said.

Another solution could be limiting which external sites the redirect link can be used for. Sophos itself, for example, doesn't use actual Web addresses in redirect links, but uses a keyword that refers to a database with links. "We have complete control over our redirects," Cluley said.

Sophos first spotted the IRS phishing scam several days ago. The company received several hundred copies of the e-mail in its traps located around the world. The actual phishing Web site has now been shut down, according to Cluley. "But, of course, other people could take advantage of this and redirect to other Web sites," he said.

[seamonkey420]

yea, figures...

is it me or is it a bit sad when my own personal website has more security and lockdown than a US government site? and these people are dictating the laws towards new technologies yet have no clue on how to install windows xp prof?

man, just pathetic; maybe we should just stop this war and concentrate on our Country, on our own people (ie Katrina survivors? invent new power sources?). Maybe we shouldn't just sit back while our corrupt lawmakers just further fatten their own pockets while the remaining 90% of the population struggles more and more each day..

but come on US Govt, fire your current IT and snatch up a few good hackers and fix that redirect!

just my $.02

[Techie2010]

Ditto

I feel for ya, it's scary to think that my computer has better security than most goverment systems. :/

[spfanstiel]

How long does it take?

Really, how long does it take to "fix" this redirect? You do a search of all legitimate governemnt sites using this redirect tool, assess the desired destination URLs that may require this resource, then you lock it down to these URLs, and no more. Why the delay? The fact that the government is "aware" of the problem is apparently worthless, since the redirect is still up and running. And now that c|net has published it -- the entire phishing community knows about it as well.

[smbaker01]

Nice lecture

Your own redirect links do exactly the same thing.
http://dw.com.com/redir?destUrl=http://www.google.com/
or whatever.

[n3td3v]

Russ Cooper

Is this guy still alive? Thought Cybertrust was a waste of time since law infrocement dont contact them for intelligence on cyber investigations.

[lolasdeer]

no contact

Hey N3td3v,

Could you tell us more about this governmental negation of Cybertrust?

Thanks,

lolasdeer