In today’s world we are all, I hope, at least aware of phishing. In the media, print and online, we’re increasingly seeing that all institutions, from banks to television broadcast providers, are working hard to advise us that they will never directly ask us for personal or banking information. It’s a message often repeated while you’re on hold waiting to speak to an operator; sometimes it’s included in letters – companies trying their best to notify us that all communication will be secure.
Now that we use the internet for the day-to-day running of our lives – everything from shopping, banking and, of course, the helpful renewal of tax credits – we inevitably receive yet more security emails. We are warned never to send personal information, not to respond to unsolicited ‘account update’ messages from your bank (or not your bank: ‘click on the link to confirm/ decline a transaction’, etc). Some hackers must have run a crash course in marketing as they look like the real McCoy! However, little is mentioned about another form of contact – the old faithful SMS text message.
A seamless process
The HMRC released an advert this year, letting the nation know they ‘understand we can’t always be available 9-5’, so they are ‘ready when we are’ available to renew my tax credits online 24/7.
I am a working mum. The time I spend with my son outside working hours is precious, so for me personally, this new service is extremely helpful and I have taken full advantage of it.
So what happened? I hear you ask. I remember the exact moment well; I received a few SMS messages from HMRC (these were genuine messages and not scam), reminding me that my tax credits renewal was due. At 11:00pm on a Tuesday evening (quite close to the dead line, hence the several SMS reminders), I worked my way through the online system. The following day, I received a helpful text confirming that my details had been received, again from the same HMRC sender:
This filled me with enough confidence to happily continue with the beautiful whirlwind life of a working mum! My tax credits claim was sorted in a timely manner and the process was seamless.
Let’s skip forward to September 2016 when I receive another SMS from the SAMEHMRC address, which read:
Now, I will be honest, I spent that £262 before I even read to the bottom of the text. However, due to the nature of my work (a recruitment consultant in the cyber security sector) and previous military training, I was suspicious. Instead of opening up the link on my mobile I forwarded the link to a PC. Here’s what awaited me:
Yep,you read it right, the form even asks for my passport and driving licence number, plus the links on the top bar don’t lead anywhere. Hilarious really!
BUT it’s only at this point that it’s obvious it is a scam. I decided to do a little digging via the official HMRC website. While searching for advice on what to do if I received a suspicious SMS, I phoned HMRC directly. The helpful lady went through the usual security protocol with me, and when I told her about my text, she gave me a number to forward the SMS to, which is shown on the HMRC website but this wasn’t easy to find! She also mentioned that they had “received an influx of SMS messages”.
When enquiring where I could read more on receiving these messages, what to look for, etc., I was directed to a page which only referred to phishing emails. Not quite satisfied, I questioned how it was possible that the scammers could send an SMS from HMRC’s actual system. The now obviously flustered lady told me HMRC was currently ‘investigating’ a few reports.
Since receiving the text, I have been watching, digging and talking to my security network to try and work out how this has happened. And it’s fascinating.
How the scammers did it
Let’s start by looking at how I received the message following on from the trail of legit messages.
These names are easy to spoof and there are even sites out there that enable you to send a message and choose the ‘from’ name, such as : (https://www.fakemytextmessage.co.uk/fake-texts) As there is no authority for these, you can spoof any name or number and transmit these to your desired target. It was because of this trail that the SMS seem legit – 1-0 to the hacker! There are also reports of other names, including HMRCTAX and HMRevenue.
Although the link in my message and that in the first text above no longer redirect, the second one is (at time of writing) still active. Investigating the bit.ly link in the first message (adding ‘a +’ to any bit.ly link brings up a stats page), revealed that over 2,700 people clicked the link, meaning this was sent to vast number of people. Ouch.
The site this redirects to is: (http://hmrc-gov.uk.govtax0.com/)
The expert opinion
At this point, I’d like to introduce Ant Robinson, a Cyber Security Analyst at Emeiatec Limited, to lend his technical knowledge and expertise on the scam. Here’s what he found:
“Once I saw the fake page I wanted to check if it had any other malicious pay loads in the background (i.e. malware in the form of key loggers or similar). Fortunately, there wasn’t any, after checking it through iBoss FireSphere, VirusTotal and seeing its requests via zaproxy and Wireshark.
I then began to have a play through the site to see what else was in store and where the user would end up if they entered their details.
The page uses simple card validation to make sure you have entered a legitimate card, this was easy to bypass looking at the page code, so I got to the next page.
“There was a secondary payload to grab people’s details. It claims an error has occurred and then shows you some convincing online banking websites. All formatted and acting as the legitimate pages would.
“This would then ask you for your online banking details to ‘proceed with the refund’.
“A few simple tell-tale signs on the banking pages included text along the side with images (to keep the formatting looking correct) and links on the page which didn’t go where they should, but back to the existing page. Also, the URL at the top didn’t match the bank’s URL.”
URL'S HAVE BEEN LEFT FOR YOUR PERUSAL – PLEASE DO NOT ENTER ANY PERSONAL INFORMATION!
“If you then added your details in here, you would see a couple of pages showing you legitimate looking processing pages:
“These would stay on screen for about 30 seconds to make it feel authentic. Then the site would drop you off on the official revenue and customs page. This also gives the site a bit more legitimacy as a user might think they haven’t been scammed as they end up on an official site.
“After taking these screen shots I reported it to the HMRC phishing page, then decided to look into who owned the domain and where it was hosted.
“I took the domain and ran it through a ‘who is’ search (http://centralops.net/co/). This showed me who was hosting the site, who owned that domain and any contact details they had entered. Although these are most likely fake details or the details of someone they have scammed, it’s still interesting to see what they had registered it under.
“The thing that struck me was the domain of the admin email. This is an odd looking site; I assume it is a cover for their scams in this country. But again, this appears to be registered by a random address in the US. It also appears that this domain owner has been hidden by a company who register domains on your behalf.”
I have approached family and friends, playing dumb and showing them the message – I can scarily add that 100 per cent would have filled out that form! (Said individuals have been educated, slapped on wrists and sent numerous security awareness links and information)
I recently heard a news bulletin on the radio about a gentleman suing his bank after he was ‘phished’ online. He mentioned that the bank should be doing more to protect his money and would not accept any personal responsibility! We can argue about who is in the wrong, but I sit with the bank. This was down to his own personal actions. However, there’s a grey area in between: what is being done to educate everyone? Whose responsibility REALLY is it?
Since this ordeal, I have taken the time to sit down and try my best to raise awareness amongst my family and friends. I remember my first lesson in online security came from PC World after LimeWire (yep, that one), but since then, all my (self-taught) education has come from online sources.
In particular, we need to educate the older generation; the trusting generation. My grandmother, for example – she once believed an African prince had tried to contact her to send her millions of pounds (that’s yet another blog!). As these scams target us directly, we need to keep ourselves informed about emerging threats and how we can really keep our data safe.
Human error is, and I personally think will always remain, the biggest cause of data breaches. Although my network is obviously already highly security-focused, how many of you have a social network that could benefit from learning the ‘basics’? Below, I’ve put together some useful links that can help spread awareness around protecting yourself and your data.
Blog post written by Holly Foxcroft.