[nsp-sec] US IRS phishing [AS34011, AS16276, AS3215]

Sun Jun 22 11:02:13 EDT 2008

Unlike the olden days, I don't usually read even my own spam anymore
(there's just too much).  But certain ones are flagged with bank or IRS,
and I try to submit those to our own reporting and CastleCops.

   https://www.cymru.com/reports-cgi/submit_phish.cgi
   http://www.castlecops.com/pirt

Neither seems to handle the phish sender, nor redirected site.  Something
automated would be a target rich environment that could add to our alerts!

Here's some actionable items....

===

In this case, the ultimate compromised site doesn't show up in the email:

hxxp://www.paycom.de/contenido/includes/api/irs/www.irs.gov/index.htm

AS      | IP               | AS Name
34011   | 80.67.17.140     | DOMAINFACTORY domainfactory GmbH

PEER_AS | IP               | AS Name
3356    | 80.67.17.140     | LEVEL3 Level 3 Communications
6695    | 80.67.17.140     | DECIX-AS DE-CIX, the German Internet Exchange
10310   | 80.67.17.140     | YAHOO-1 - Yahoo!
12337   | 80.67.17.140     | NORIS-NETWORK noris network AG
13237   | 80.67.17.140     | LAMBDANET-AS European Backbone of LambdaNet

===

The email itself has a compromised site that redirects to the ultimate site:

hxxp://www.universipod.net/uipod_fr/pages_php/p_aidcon_conseils/IPOD_fichiers/ipod.php

AS      | IP               | AS Name
16276   | 213.186.33.16    | OVH OVH

PEER_AS | IP               | AS Name
3549    | 213.186.33.16    | GBLX Global Crossing Ltd.
6453    | 213.186.33.16    | GLOBEINTERNET TATA Communications
6695    | 213.186.33.16    | DECIX-AS DE-CIX, the German Internet Exchange
10310   | 213.186.33.16    | YAHOO-1 - Yahoo!

===

The phish came from some kind of open relay, correctly flagged as not
permitted SPF:

AS      | IP               | AS Name
3215    | 80.12.242.100    | AS3215 France Telecom - Orange

PEER_AS | IP               | AS Name
5511    | 80.12.242.100    | OPENTRANSIT France Telecom - Orange

===

The phish may have originated at a particular customer (although it's often
unreliable Received lines), that seems to be related to the relay:

AS      | IP               | AS Name
3215    | 80.11.229.3      | AS3215 France Telecom - Orange

===

The final unreliable Received is related to the compromised site, so this
may be of some use tracking the phisher:

AS      | IP               | AS Name
16276   | 91.121.109.152   | OVH OVH

-------- Original Message --------

Return-Path: <taxrefund at irs.gov>
Received: from smtp28.orange.fr (smtp28.orange.fr [80.12.242.100])
         by mx.google.com with ESMTP id j33si6941537ugc.2.2008.06.22.00.46.12;
         Sun, 22 Jun 2008 00:46:13 -0700 (PDT)
Received-SPF: fail (google.com: domain of taxrefund at irs.gov does not designate 80.12.242.100 as permitted sender) client-ip=80.12.242.100;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of taxrefund at irs.gov does not designate 80.12.242.100 as permitted sender) smtp.mail=taxrefund at irs.gov
Received: from me-wanadoo.net (localhost [127.0.0.1])
	by mwinf2811.orange.fr (SMTP Server) with ESMTP id 098F58000081;
	Sun, 22 Jun 2008 09:46:12 +0200 (CEST)
Received: from mail.louisfrancois.com (LRouen-151-71-53-3.w80-11.abo.wanadoo.fr [80.11.229.3])
	by mwinf2811.orange.fr (SMTP Server) with ESMTP id 5EA898000089;
	Sun, 22 Jun 2008 09:46:11 +0200 (CEST)
X-ME-UUID: 20080622074611387.5EA898000089 at mwinf2811.orange.fr
Received: from User ([91.121.109.152]) by mail.louisfrancois.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Sun, 22 Jun 2008 09:48:54 +0200
From: "John Stewart" <taxrefund at irs.gov>
Subject: Internal Revenue Service - Tax Refund
Date: Sun, 22 Jun 2008 09:46:09 +0200
MIME-Version: 1.0
Content-Type: text/html;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
Message-ID: <MAILFRANCOISb6uIU1G00007a09 at mail.louisfrancois.com>
X-OriginalArrivalTime: 22 Jun 2008 07:48:54.0111 (UTC) FILETIME=[6B2A26F0:01C8D43C]
To: undisclosed-recipients: ;

</p><p style="font-size: 14px;">
                 <font face="Arial"> After the last annual calculations of your fiscal activity<br> we have determined
                 </font><font style="font-size: 14px;" face="Arial">that you are eligible to receive<br> a tax refund under section 501(c) (3) of the<br> Internal Revenue Code. Tax refund value is <b>$184.80.</b>
                 <br> Please submit </font><font face="Arial">the tax refund request and allow us 6-9 days<br> in order to IWP the data received.<br>If u don't receive your refund within 9 business<br> days from the original IRS mailing date shown,<br> you 
can start a refund trace online.

             </font></p>

If you distribute funds to other organization, your records must show wether they are exempt under section 497 (c) (15). In cases where the recipient org. is not exempt under section 497 (c) (15), you must have evidence the funds 
will be used for section 497 (c) (15) purposes. If you distribute fund to individuals, you should keep case histories showing the recipient's name and address; the purpose of the award; the maner of section; and the realtionship of the 
recipient to any of your officers, directors, trustees, members, or major contributors.

</font></p><p style="font-size: 12px;">

To access the form for your tax refund, please
<a href="hxxp://www.universipod.net/uipod_fr/pages_php/p_aidcon_conseils/IPOD_fichiers/ipod.php">
 click here</a> This notification has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.

Sincerely Yours, John Stewart Director, Exempt. Organization Rulings and Agreements Letter Internal Revenue 
Service