Fake ATO phishing emails
I was lucky enough to get two slightly different phishing emails overnight, both pretending to come from the Australian Tax Office. I haven't seen these ones before - I usually only get them from the banks!
Email one:
From: donotreply@ato.gov.au
Subject: Mistakes in your tax form NAT3799To whom it may concern.
Please be informed that you have made mistakes while filling out the last NAT3799 tax return (ID: 843494814049) .
Please follow the advice of our tax specialists HERE
We prompt you to correct the mistakes and file the revised tax return to your local tax office as soon as possible.
Sincerely,
*************************************
The word "HERE" is hyperlinked to hxxp://sandbox.codewerken.com/27bddd/index.html. This page is still alive at the time of writing, and loads hxxp://searchdiscovered.com in an iframe. A quick look at hxxp://sandbox.codewerken.com shows a few other directories with random six character names that contain similar content. The server seems to be Apache with some FrontPage extensions.
The ATO logo is hosted from hxxp://www.grantsspectrum.com.au/images/ato.jpg.
The source address was 80.224.55.227, which resolves to user-55-227.wipzona.es.
Email two:
From: Australian Government <centenarians37@ato.gov.au>
Subject: Your tax return was incorrectly filled outAttention: to whom it may concern
We are sorry to inform you that you incorrectly completed the most recent tax form NAT3799 (ID: 107442005751) .
Please find the advice of our tax specialists HERE
We kindly ask you to amend the mistakes and send the corrected tax return to your local tax office as soon as possible.
Yours sincerely,
Leonel Stafford
This time, the word "HERE" is hyperlinked to hxxp://denverdm.com/a0ec15/index.html. The logo is embedded inline, rather than being hyperlinked. This page has been removed.
The source address was 31.52.158.162, host31-52-158-162.range31-52.btcentralplus.com.
