Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Tax Phishing Campaign Reminds of DMARC Limitations

April is a time for tax-related phishing scams, and we haven’t been let down this year despite the dominance of COVID-19-themed phishing campaigns. DMARC should stop phishing, right? Not unless the targeted domain itself is spoofed.

April is a time for tax-related phishing scams, and we haven’t been let down this year despite the dominance of COVID-19-themed phishing campaigns. DMARC should stop phishing, right? Not unless the targeted domain itself is spoofed.

Security firm Abnormal Security discovered a phishing email giving a single day for the recipient to respond and claim an outstanding tax rebate from HMRC (the UK tax authority) for ‘550.11 GBP’. The email contains an obfuscated link to a webpage masquerading as a Gov.uk page. That landing page requests full card and bank details in order to progress the refund.

The text of the email is not bad as phishing scams go — with just a few grammatical errors and inconsistencies. These could easily be missed by anyone excited by the chance of gaining more than £500 (approximately $625) and activated by the short lead time. Greed and urgency are two of the classic spurs used by scammers.

The landing page is even more convincing than the email; clear, well laid out and exactly what the victim might expect from a government department. If fooled, the victim will not receive a £550 refund, but would likely lose even more.

What is particularly interesting about this phishing attempt, however, is that HMRC is fully DMARC protected — that is, DMARC is implemented at the strongest enforcement level. The purpose of DMARC is to stop phishing — which it clearly has not done in this example. The reason is that DMARC blocks only phishing emails that pretend to come from the genuine domain. This comprises approximately two-thirds of all phishing attempts; leaving one-third unblocked by DMARC.

After implementing DMARC, HMRC Digital blogged in November 2016, “We have already managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC. It allows us and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers.” DMARC works where it is designed to work.

The hidden danger, however, is that the phishers will simply put more social engineering effort into masquerading as an associated domain that could be accepted as genuine. In this instance, the email claims to come from ‘Service-Center-Online-Office-Ref-No [email protected]’. The dot-be suffix is a give-away, since the victim should hardly expect a Belgian domain to be involved with UK tax refunds.

Nevertheless, the principle is clear– phishers do not need to spoof the exact domain name if they can use a different domain that might be accepted as reasonable. This may become an unavoidable effect of the increasing use of DMARC to block exact domain name spoofing: criminals will migrate to alternative (but acceptable) domain names that are untouched by DMARC controls.

Advertisement. Scroll to continue reading.

Related: Threat From Spoofed Emails Grows, While DMARC Implementation Lags 

Related: Nearly 1 Million Domains Use DMARC, but Only 13% Prevent Email Spoofing 

Related: DMARC Use is Growing, But Difficult to Configure Correctly and Completely 

Related: Presidential Candidates’ Use of DMARC Improves, but Short of Optimum

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...