Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phish or Vish? The IRS is back.

Published: 2007-08-25
Last Updated: 2007-08-25 09:05:13 UTC
by Mark Hofman (Version: 1)
0 comment(s)

The IRS wants to give you $80 dollars to participate in a survey, yup really.

Aw... alright, so it’s the IRS scam that is back again, this time with a twist.

<Phish>

Users will be receiving SPAM messages from the IRS along these lines:

From: Internal Revenue Service [mailto:security@IRS.gov]
Sent: Friday, August 24, 2007
5:23 AM
Subject: IRS Survey : $80.00 to your account - Just for your time!
Importance: High
Congratulations!
Dear Customer,
You’ve been selected to take part in our quick and easy 8 questions survey In return we will credit 80.00 to your account
- Just for your time!
Please spare two minutes or your time and take part in our online survey so we can improve our services.
Don’t miss this chance to change something.
To continue click on the link below:
htm://www.irs.gov/login.asp=survey
© Copyright © 2007 Internal Revenue Service U.SA

 The link directs you to a survey page where the IRS’s satisfaction is measured, product knowledge, etc.   The only details requested on this page are your name, phone number and if you want to an email address.

On submission a results page is shown where the credit card details are entered to receive the $80.

Straight forward so far.

</Phish>

So why the phone number?

That’s where the Vish comes into play.  Using VoIP to call the person and social engineer information out of them.   For example:

<Vish>

“ Hello Mr I fell for-it, this is Tim from the IRS.  Thank you for filling out the survey, however you didn’t leave any details for us to deposit the $80.  If you provide me with some information now we can arrange payment.”

“uh, ok”

“Let’s start with verifying some details, starting with your social security number....”

.....

</Vish>

Now it might be that the phone number will be used in any case.  A credit card number and name is valuable, combined with other personal information it is much more valuable.

There will have been millions of emails sent, so we don’t really want any of those at this stage, but if you know of anyone who has been approached via voice after completing one of these surveys please let us know.

Mark H - Shearwater

Keywords:
0 comment(s)
Diary Archives