Wednesday, January 14, 2015

Canada Revenue Agency Tax Return - Phishing Email

Subject: [notifications]-ID-123456769


Tax time and spammer's are hitting early. If you receive this crafty email similar to below, then it beware it's probably a phishing email attempt that is recently going around. What to do?  Report them now,

Action > Report the Phishing URL to Google Plex now, click this link
  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=ofertaslaverdad.mx

How to tell this is a Phishing email ?

  1. Canada Tax Revenue agency does not use email to engage CDN citizens that their tax return is due.
  2. Reply to this email is sent to <no_reply@bell.ca>; this is Bell and not CRA. If it were CRA it would be something like <no_reply@cra-arc.gc.ca>.
  3. Email is From: Canada Revenue Agency but don't let that fool you the address is from <supportinternet7791498888@bell.ca> and cleverly crafted but not the CRA.
  4. Reading email in Outlook generated pop-up "Click to follow link"
  5. Hover over action url, For tax refund click here >> and you see it's to http://ofertaslaverdad.mx the phishing link

  6. The best way is to look at message source, see below.


How to examine Email source?


Email consists of a message header and body. 
Briefly, the message body is basically everything you see below the subject line. 
To view the source message header, which includes details such as To:, Cc:, Bcc:, Reply To: and Subject, do the following in your email system;


  1. Outlook.com->Actions->View Message Source 
  2. Gmail.com->More (down arrow to top right)->Show original
  3. Yahoo.com->More (at Bottom of Message)->View Full Header
  4. Outlook Program - see http://bit.ly/outlookviewheadersource  

For this phony email, we have the message source in a code source reader.

At line 9 you have Received: from 127.0.0.1 (HELO mail13.shop-pro.jp) (210.154.147.74). 210.154.147.74 is located in Japan but originally from Korea, not Canada.

Find out geo location of the IP address on map, click link below;
http://www.infosniper.net/index.php?ip_address=210.154.147.74

Report Phishing Email (not as Spam)
  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing
  3. Yahoo.ca->Spam->Report a Phishing Scam


Also Report Phishing domain at Google Plex now!!! 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=ofertaslaverdad.mx


Also Report phishing email at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Learn how Office 365 prevents spam and malware free course 

No comments:

Post a Comment