$109.30 in 2 minutes … IRS refunds attack
Monday September 24, 2007 at 9:16 am CST
Posted by Chris Barton
Phishers today are targeting the IRS with a large phish attack. So far it is spread over 25 domains. The phish offers victims $109.30 refund directly to their credit card for filling in an online form. How convenient 
Here is an XYZ-obscured list of domains currently in use.
10361irsfundXYZ.com
13031irsfundXYZ.com
1412irsfundXYZ.com
16268irsfundXYZ.com
17389irsfundXYZ.com
21817irsfundXYZ.com
34042irsfundXYZ.com
37903irsfundXYZ.com
39621irsfundXYZ.com
4331irsfundXYZ.com
49383irsfundXYZ.com
55005irsfundXYZ.com
59631irsfundXYZ.com
61819irsfundXYZ.com
66725irsfundXYZ.com
66731irsfundXYZ.com
7148irsfundXYZ.com
7685irsfundXYZ.com
77452irsfundXYZ.com
79463irsfundXYZ.com
84131irsfundXYZ.com
87655irsfundXYZ.com
91767irsfundXYZ.com
93181irsfundXYZ.com
93189irsfundXYZ.com
Example below:
As is usual these days for this sort of attack the phishers are using a whois privacy service, in this instance register.com’s $9 registration masking service… Again. We’ve seen a number of similar attacks recently. I wonder why they bother paying extra for such things when they are trivially forged.
…There I go again, assuming THEY actually pay.
Oh while we’re on the subject F-Secure have a cute blog on using google to catch paypal phish. Note the “Results: 1-10″ … Ten. Guys, there are 259 other active phish on that server alone. Googlejuice is for wimps
September 24th, 2007 at 12:32 pm
Chris, great post! We try and educate our customers and visitors about these types of scams as well as help them educate their users. You info is very helpful.
Michael Rowles
CopiaTECH
September 24th, 2007 at 1:26 pm
Know what else is for wimps? Masking the full name of malicious domains. Are you afraid the phishers might get mad and sue? Grow a set and publish useable blacklists or don’t bother making a list at all.
September 26th, 2007 at 7:29 am
@Michael Rowles: Thanks!
@BelchSpeak: I wish… The data is published in SiteAdvisor, our free protection tool for browsers (and other non-free products obviously), this post is simply commentary on something interesting that is going on behind the scenes.
As I’m sure you can appreciate we have an additional responsibility to protecting the general public by not publishing all the gory details in an instantly usable form in case they misunderstand it as an endorsement or something equally foolish. I’m sure anyone remotely technical could resolve XYZ given a little thought or data from one of the public lists within a few minutes and as such have pushed the publishing guidelines as far as the Marcus the ed. will let me.