IRS COVID19 Stimulus Check Scam Uses Incorrect Address As Phishing Lure
Recently we posted about a Small Business Administration spoof that dropped the Remcos remote access trojan and Formbook information stealer. Today we're going to share another COVID-19 Stimulus attack, however, this one purports to be from the Internal Revenue Service.
The email itself is fairly simple and spoofs the recipient's domain in hopes the company has allowed its own domain name in their email gateway but uses "IRS" as the display name. It tells the recipient "We encountered difficulties delivering your Covid-19 Stimulus Check to your home address above. You provided a wrong address." We quickly analyzed multiple versions of this attack and they all used the same address, no matter who received the message. A quick Google search shows it belongs to a legitimate pizza shop but not associated in any way with the recipients.
IRS Themed Credential Harvesting Site
We followed the link in a safe environment and were greeted with the below site attempting to masquerade as an IRS site. It prefills the recipient's email address from a parameter specified in the email's URL and attempts to have the user enter their email password in order to update their address.
Source Code Obfuscation
Taking a quick look at the site source code, we can see the attacker attempted to obfuscate the wording regarding the email address and password. This is a simple method utilized in an effort to bypass website scanning engines and scripts looking for credential harvesting sites.
The IRS has published the below information:
"The IRS does not initiate contact with taxpayers to request any personal or financial information for the Economic Impact Payment through:
- Text messages, or
- Social media sites, groups or forums
Be cautious of anyone asking you to verify your personal identification and/or banking information in order to receive the Economic Impact Payment. Scammers are savvy and may attempt to use social engineering schemes to get your information.
Spread the word. Tell your friends, relatives and neighbors - do not respond to any requests pretending to be associated with Coronavirus Tax Relief or Economic Impact Payments!
There are many scammers that use websites designed to look almost identical to a federal agency website but they will not have the right URL or website address. Make sure you are looking at a website that starts with “https://” and ends with “.gov”. Otherwise, they are likely not a valid U.S. government site. If you receive an email, text message, weblink or other communication from an unknown source or sender, avoid clicking on the link or opening the attachments.
Official IRS & Taxpayer Service Websites
The official source of information for the Economic Impact Payments is www.irs.gov/coronavirus. You can also visit the Taxpayer Advocate’s coronavirus site for updated guidance on tax relief available in response to Coronavirus (COVID-19).
If you choose to donate to a charitable organization, use the IRS Tax Exempt Organization search tool to verify an organization’s federal tax status before donating.
Report any scam-related and fraudulent contacts, phone numbers and websites to firstname.lastname@example.org. Learn more about reporting suspected scams by going to the Report Phishing and Online Scams page on IRS.gov."