McAfee Avert Labs has received reports of a new phishing attack that purports to be from the U.S. Internal Revenue Service (IRS). This email attack is similar to IRS phish campaigns seen before and offers victims a $375.20 refund directly to their credit card for filling in an online form. A copy the spammed email is shown below:

IRS phishing scams faithfully appear every year during the US tax season. There have been several campaigns in the past and this one was first observed on Jan 28th in our spam traps.

The phish is hosted on a legitimate website based in the United States that deals with special effects for Halloween and movie props. The phish page is a rip-off of the original IRS website and the online form asks for the victim’s name, social security number and credit card details. In addition to these CVC/CVV2 and ATM pin number details are required. Makes you wonder how many people would still give such information in their eagerness to get a refund given it is the middle of the tax season.

Of late we are seeing the numbers of legitimate web sites compromised by attackers surpassing those purposefully hosted by an attacker. By abusing compromised legitimate web sites to host malicious code, a spammer can subvert real-time blacklists that are used to traditionally check for the validity of links advertised in emails.

When the website owner was informed of this compromise, his reply was “I’m not a techie, but I have to run this site and don’t know how to fix this problem. Any help would be wonderful.” This brutally honest reply left me speechless!

Ps: I’ve ensured a McAfee Avert Labs field service engineer would be getting in touch with him shortly as well as making sure the IRS has the spamming information.