Phishers use IRS tax refund as bait

Cybercriminals take advantage of programming error on a federal Web site to pose as IRS and collect sensitive data.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Insufficient programming on a government Web site is helping cybercriminals pose as the Internal Revenue Service in a scam to collect sensitive data, some security experts warn.

A spam e-mail message has been sent around the world telling people they are eligible for a $571.94 tax refund from the IRS. The e-mail offers a link to a fraudulent IRS Web site, but the link actually goes through a legitimate government Web site that only last month was promoted by President Bush.

"This is more advanced than the typical phish, because the Web link really does--at first--take you to the real tax benefit Web site," said Graham Cluley, senior technology consultant for U.K. security vendor Sophos. "Unfortunately the way the government Web site has been configured allows the phishers to bounce the unwary in their direction."

The link in the phishing e-mail goes to a forged IRS Web site that asks for a Social Security number, tax return filing code and credit card details including security code and PIN.

The scam takes advantage of a so-called open redirect on the GovBenefits.gov Web site. This open redirect lets anyone craft a link that to the untrained eye looks like it goes to the government site, but actually goes elsewhere on the Web. The following link, for example, goes to CNET News.com: http://www.govbenefits.gov/govbenefits/externalLink.jhtml?url=http://www.news.com.

The government is aware of the issue and is working to fix it, a representative of the Department of Labor said Wednesday. The department manages the GovBenefits.gov Web site. The site is a collaborative effort of 16 federal agencies to increase access to government information and is part of the president's e-government initiative.

Open redirects are no rarity on the Web, said Russ Cooper, senior scientist at Cybertrust, a security vendor in Herndon, Va. "They are unfortunately too common," he said. Phishers have taken advantage of such "stupid redirect links" on the sites of Yahoo and Microsoft's MSN before, according to Cooper.

"It comes about because people don't think about security during the design of their Web site. They were thinking about features," Cooper said. The redirect links are typically used as a business intelligence tool, so Web site owners know which external links their visitors click on.

While many Web sites have the programming error, it becomes more of a security issue and attractive to phishers when a site belongs to a trusted organization such as a bank or the government, Cluley said.

"With GovBenefits.gov there is a great opportunity for criminals by posing as the IRS to get a great deal of information, including your credit card details and Social Security number," Cluley said.

To prevent phishing attacks, Web site administrators should lock down their redirects, Cooper said. For example, administrators could limit linking to external sites only when a user actually clicks on the link while on the main site. This would stop links in e-mail or instant messages from working, Cooper said.

Another solution could be limiting which external sites the redirect link can be used for. Sophos itself, for example, doesn't use actual Web addresses in redirect links, but uses a keyword that refers to a database with links. "We have complete control over our redirects," Cluley said.

Sophos first spotted the IRS phishing scam several days ago. The company received several hundred copies of the e-mail in its traps located around the world. The actual phishing Web site has now been shut down, according to Cluley. "But, of course, other people could take advantage of this and redirect to other Web sites," he said.