Phishing scam alert: “Your tax refund is here. Very important!”

A graphic of a computer screen with a fishing line sprouting out of it

Image Source: How Stuff Works (Phishing)

I just received an email from “support@ato.guv.au” – this is a dummy email address that resolves to the phisher’s domain – notice that they’ve misspelt the proper government domain “gov” as “guv”.

This alert does not only apply to Australians – this scam is probably sent to people in many countries shortly after the close of their particular nation’s tax-year.

Dear Applicant:

After the last annual calculation of our fiscal activity we have determined that your tax refund was miscalculated.
Please provide us with payment details for your tax refund.

Tax refund pending: $ 1400 AUD

Please apply online to get it.
Atention this ChargeBack is available only if you apply online.

Please submit the tax refund and allow us 3-9 business days in order to process it.

For those who are into details, here are the headers of the email (with my own details xxx-ed out, in the abuse report I’m sending to the abuse@ address and CC’ing to DreamHost they will be left intact):

Delivered-To: xxxxxxxx@xxxxxxxx.com
Received: by 10.231.168.130 with SMTP id u2cs323527iby;
Tue, 6 Jul 2010 14:47:08 -0700 (PDT)
Received: by 10.142.178.2 with SMTP id a2mr194372wff.37.1278452827770;
Tue, 06 Jul 2010 14:47:07 -0700 (PDT)
Return-Path:
Received: from homiemail-mx12.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119])
by mx.xxxxxxxx.com with ESMTP id z1si12081959wfd.86.2010.07.06.14.47.07;
Tue, 06 Jul 2010 14:47:07 -0700 (PDT)
Received-SPF: neutral (xxxxxxxx.com: 208.97.132.119 is neither permitted nor denied by best guess record for domain of thewater@host.genevange.com) client-ip=208.97.132.119;
Authentication-Results: mx.xxxxxxxx.com; spf=neutral (xxxxxxxx.com: 208.97.132.119 is neither permitted nor denied by best guess record for domain of thewater@host.genevange.com) smtp.mail=thewater@host.genevange.com
Received: from host.genevange.com (host.genevange.com [72.52.215.182])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by homiemail-mx12.g.dreamhost.com (Postfix) with ESMTPS id 45EE3278305
for ; Tue, 6 Jul 2010 14:47:07 -0700 (PDT)
Received: from thewater by host.genevange.com with local (Exim 4.69)
(envelope-from )
id 1OWFyo-0001xP-Lw
for xxxxxxxx@xxxxxxxx.xxxxxxxx.au; Tue, 06 Jul 2010 17:47:02 -0400
To: xxxxxxxx@xxxxxxxx.xxxxxxxx.au
Subject: Your tax refund is here. Very important!
From: support@ato.guv.au
Reply-To: support@ato.guv.au
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Tue, 06 Jul 2010 17:47:02 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – host.genevange.com
X-AntiAbuse: Original Domain – xxxxxxxx.xxxxxxxx.au
X-AntiAbuse: Originator/Caller UID/GID – [32052 32054] / [47 12]
X-AntiAbuse: Sender Address Domain – host.genevange.com


Categories: technology

Tags: ,

4 replies

  1. For some reason, I get South African ones (I live in Belgium). It could be because of a Zimbabwean mailing list I’m signed up to, but then I’m signed up to lists from Australia and the US as well, so … I don’t know.
    I love that ‘guv’ though – hilarious!

  2. well, where is it? 🙂
    or did you forward it to abuse@ … if you did, that’s great, that’s where it should get sent!
    Unfortunately, it looks as though it’s not being sent from our network, so there’s nothing we can really do about it. Your best bet is actually to send it to abuse@sourcedns.com, the abuse contact for the IP which connected to us to send the email: 72.52.215.182

    • Hi, Jeremy K – I did send the report to abuse@ with a CC to DreamHost – if you didn’t get the CC then I may need to resend to abuse@ as well. I certainly didn’t mean to imply that DH was itself doing anything nefarious, merely that you needed a heads-up. I will modify the post to clarify this.

  3. I’m getting a tax refund, guv!

%d bloggers like this: