UPDATE (August 12, 2022): This article was updated to add information about a new phishing email.
Even though the deadline to file taxes in Canada already passed on May 2nd, 2022, some people may have filed late or are still expecting their refund. Perhaps that’s why I received a phishing email yesterday purporting to come from the Canada Revenue Agency (CRA) and promising a refund of nearly CAD$500:
Aside from the blunder of using guidovedebe@skynet.be as the From: address of the email, this is not how the CRA communicates. If you are using a My Service Canada Account, you should expect to receive a notification that looks like this:
Understanding how phishers abuse links in emails, the CRA has taken the wise strategy of not providing links in official correspondence and instead instructing clients to navigate on their own to the official website.
If, however, you do click on the “Interac e-Transfer Autodeposit” button, you are redirected from a malicious link hosted on istandyjeno[.]hu to the malicious subfolder cra_ca_service hosted on oraclehomes.com:
The operators behind this campaign have done a fairly good job of creating a legitimate-looking page, but there are still some signs of the scam. For example, the footer of a legitimate page looks like this:
Furthermore, the menu items on the phishing page lead nowhere:
Clicking on “Jobs” simply populates the URL with the value of the id attribute of the HTML element for “Jobs”.
Next, if you click on the “Proceed” button on the opening page, the next page asks for your personal information, including your social insurance number, date of birth, and mother’s maiden name – indeed, everything a phisher would need for identity theft:
If a victim then clicks on the “Continue” button, the next page asks for your credit card information:
The final page falsely confirms that your refund will be deposited to your credit card account within 5-10 business days:
Finally, you are redirected to a legitimate CRA webpage:
The same redirection happens if you attempt to navigate directly to the cra_ca_service subdirectory of the site.
ESET blocks these threats as a phishing attempt:
UPDATE:On August 12, 2022, I received another phishing email posing as the CRA:
Curiously, the apparent sender this time is marcamand@skynet.be, which uses the same email service as the previous sender guidovedebe@skynet.be.
Clicking on any of the links in this email redirects from a malicious link hosted on szobafestes-azonnal[.]eu to the malicious subfolder cra_ca_service hosted on uudamspa[.]vn:
The phishing forms in this attack look exactly the same as in the previous campaign. Is this the same attacker? Maybe. In any case, ESET blocks this threat too:
Interestingly, the home page of szobafestes-azonnal[.]eu advertises a hacker group called 1877 Team:Phishing in perspective
According to the ESET Threat Report T1 2022, approximately a third of the phishing URLs detected in the first four months of 2022 impersonated financial organizations. But there are other popular contenders for phishing lures, such as fake Facebook and WhatsApp login pages and websites masquerading as email services and gaming platforms:
Although, in this case, the malicious operators targeted the credit card and personal information of Canadians, phishing can encompass a variety of goals like ransomware downloads, banking trojans, cryptojacking malware, and botnet deployments. Therefore, keep in mind the following advice to spot and steer clear of this threat:
- Consider whether the purported sender normally communicates via email in this way.
- Rather than clicking on links in an email, it is better to navigate manually to the official website of the apparent sender.
- Check for obvious mistakes in the email. For example, why would the Canada Revenue Agency send you email from guidovedebe@skynet.be?
- Always be wary of sharing your personal and financial information with any webpage.
- Familiarize yourself with the CRA scam alerts page, especially with the samples of fraudulent emails impersonating the CRA.