Jesper's Blog

Obligatory file photo:

Welcome to Jesper Johansson's blog. This is my home for pontification on the web. In case this is your first time here, I have been working on information security for about 20 years, and have been writing and speaking on the topic for about 10. I am also a Microsoft MVP in Windows Security.
My most recent book is the Windows Server 2008 Security Resource Kit . Because I am also a scuba instructor you may find some posts related to that topic as well. Just because it took me so long to get it, I also like to say that I have a Ph.D. in Management Information Systems from the University of Minnesota.

Phishing for a Tax Refund

What's wrong with this picture?

If you answered "why would the IRS use a web server in Korea to ask for information about my tax refund" you are a winner!

This is a phishing site preying on people who do not know that all you need to do to get your tax rebate is to file a tax return this year. Apparently, this is the hot new phishing scam, and the IRS has instructions for how to handle it.

The e-mail came in at 21:07 PDT today. By 21:30 PDT it was not recognized as a phishing site by either Internet Explorer or Firefox. By 21:35 Firefox had it marked. Impressive. By 21:40 IE did not have it marked, which I found interesting.

Published Sun, May 4 2008 9:30 PM by jesper

Filed under: Security

Comments

# Simon Anderson said on 05 May, 2008 12:56 AM

Hi Jesper,

I like it how they dont send any spam originating from there IP address. I guess when there are so many zombies out there they dont need to.

www.dnsright.com/MXBlacklist.aspx

Love reading your blog.

Cheers

Simon

# jesper said on 05 May, 2008 01:07 AM

Simon, do you mean how they can send the e-mail message without getting their mail server black listed? More than likely they are using a botnet to send this stuff. The message I got originated in an address that is part of a huge netblock allocated to Polish Telecom. I have not done any more digging than that, but I'd be willing to get it is just a bot host that was made to send e-mail. That particular address is currently black listed by only three of the mail server black lists: www.dnsright.com/MXBlacklist.aspx.

BTW, it is now 23:07 PDT, and IE still is not detecting this site as a phishing site.

Search

This Blog

Home

Community

Syndication

News

The Windows Server 2008 Security Resource Kit is available!
. You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
Or, if you need to know about Vista instead, there is:

If you need a more general approach to help you Protect Your Windows Network, there is a book for that too

There is now a mobile version of the blog.

All postings are copyright Jesper M. Johansson or Steve Riley, in the year they were made. These postings are provided "AS IS" with no warranties, and confer no rights. All postings are the sole opinions of Jesper M. Johansson or Steve Riley and do not reflect any official opinion of anyone else with whom the poster(s) are affiliated or has been affiliated in the past. Use of included code samples is permitted for non-commercial use, with no warranties of fitness express or implied. All use of any information or code snippets posted in this blog at the user's sole risk. The blog site would like to thank www.ownwebnow.com and www.exchangedefender.com for their support.

Powered by Community Server (Commercial Edition), by Telligent Systems