A month ago, the New Zealand Department of Inland Revenue (IRD) issued a warning advising people not to respond to scam emails claiming to offer tax refunds. We have observed these types of scams before, but the individual campaigns come and go. Like any other phishing scam, this email campaign appears to look like a legitimate notification from Inland Revenue complete with the logo.
IRD Tax refund scam email
The link in the message body points to a phony web page that mimics the New Zealand IRD website. But the odd thing is the instruction in a red font stating “Please click on your following bank logo to continue the refund procedure”.
Phishing page linking to various New Zealand bank
Clicking on any of the bank logos opens a fake login page that requires the user to enter their banking credentials and other personal details.
Fake NZ bank login page
While digging around the phishing site, we came across a “readme.txt” file. It basically left hints that this phishing page was a kit authored by “MaxDeMon” written specifically to target online banking users of a range of New Zealand banks.
Phishing kit "readme.txt" page
But Google searching some keywords from the phishing kit, it looks like the kit is used a lot and comes in different variations. Here is a screenshot of a fake “Tax Refund Portal” mimicking UK’s HM Revenue and Customs webpage, again instructing users to click on their bank logo:
Tax refund portal linking to a range of UK banks
The above suggests the ‘package’ is shared around, to be used by multiple groups. Such people only need a PHP web server (preferably a hacked web server) and to configure a PHP file to send phished banking information to their email address. That’s pretty easy, and probably why these type of phishing scams are persistent.