A new scam

Discussion in 'NZ Computing' started by Gib Bogle, Jul 6, 2011.

  1. Gib Bogle

    Gib Bogle Guest

    Well, I haven't seen it before. Sent supposedly by ,
    but really by

    Dear Customer,

    After the last annual calculations of your fiscal activity, we have
    determined that you
    are eligible to receive a tax refund of 250.97 NZ Dollars. Please submit
    the tax refund
    request and allow us 2-3 days in order to process it.
    Click link below to submit your tax refund request.

    http://www.ird.govt.nz/income-tax-individual/refundForm/


    Note : A refund can be delayed a variety of reasons, for example
    submitting invalid
    records or applying after deadline.

    Inland Revenue
    PO Box 39050
    Wellington Mail Centre
    Lower Hutt 5045

    For more info on government services go to newzealand.govt.nz

    Copyright 2011 Inland Revenue


    The interesting thing is that the first part of the URL is OK:
    http://www.ird.govt.nz/income-tax-individual
    but the bit on the end sends you off to the scam site. I didn't realize
    that was possible. No spelling or grammar mistakes in the email, which
    is unusual.
     
    Gib Bogle, Jul 6, 2011
    #1
    1. Advertising

  2. Gib Bogle

    David Empson Guest

    Gib Bogle <> wrote:

    > Well, I haven't seen it before. Sent supposedly by ,
    > but really by


    As it happens, I just got the same spam.

    > Dear Customer,
    >
    > After the last annual calculations of your fiscal activity, we have
    > determined that you
    > are eligible to receive a tax refund of 250.97 NZ Dollars. Please submit
    > the tax refund
    > request and allow us 2-3 days in order to process it.
    > Click link below to submit your tax refund request.
    >
    > http://www.ird.govt.nz/income-tax-individual/refundForm/
    >
    >
    > Note : A refund can be delayed a variety of reasons, for example
    > submitting invalid
    > records or applying after deadline.
    >
    > Inland Revenue
    > PO Box 39050
    > Wellington Mail Centre
    > Lower Hutt 5045
    >
    > For more info on government services go to newzealand.govt.nz
    >
    > Copyright 2011 Inland Revenue
    >
    >
    > The interesting thing is that the first part of the URL is OK:
    > http://www.ird.govt.nz/income-tax-individual
    > but the bit on the end sends you off to the scam site.


    No it doesn't. The URL is faked. The message is in HTML format, and the
    link you see in the body of the message text is not the same as the
    actual URL attached to that text.

    The actual URL in my copy is pointing to a page hosted at
    cpe-67-49-90-206.socal.res.rr.com, which looks like a Time Warner cable
    customer in the US, probably a computer which is part of a botnet
    (unknown to its owner).

    Have a look at the page source for your e-mail, or in many e-mail
    clients you can point at the link without clicking and it will show a
    tooltip with the actual URL.

    This is just a run of the mill phishing attempt. The usual warnings
    apply - don't click on links in e-mail messages without checking them
    first.

    > I didn't realize that was possible.


    The only way a genuine URL with the last bit modified could direct you
    to a scam site would be if the scammers had already got control of
    something on your computer, in your router, at your ISP, in a major
    router somewhere between your ISP and the real destination, or they had
    hacked the actual IRD web site.

    --
    David Empson
     
    David Empson, Jul 6, 2011
    #2
    1. Advertising

  3. Gib Bogle

    Gib Bogle Guest

    On 7/6/2011 12:30 PM, David Empson wrote:
    > Gib Bogle<> wrote:


    >> The interesting thing is that the first part of the URL is OK:
    >> http://www.ird.govt.nz/income-tax-individual
    >> but the bit on the end sends you off to the scam site.

    >
    > No it doesn't. The URL is faked. The message is in HTML format, and the
    > link you see in the body of the message text is not the same as the
    > actual URL attached to that text.


    Ah, of course.

    >> I didn't realize that was possible.

    >
    > The only way a genuine URL with the last bit modified could direct you
    > to a scam site would be if the scammers had already got control of
    > something on your computer, in your router, at your ISP, in a major
    > router somewhere between your ISP and the real destination, or they had
    > hacked the actual IRD web site.


    OK, so what I thought was happening in fact isn't possible.
     
    Gib Bogle, Jul 6, 2011
    #3
  4. Gib Bogle

    Geopelia Guest

    "Gib Bogle" <> wrote in message
    news:iv0bai$qme$...
    > On 7/6/2011 12:30 PM, David Empson wrote:
    >> Gib Bogle<> wrote:

    >
    >>> The interesting thing is that the first part of the URL is OK:
    >>> http://www.ird.govt.nz/income-tax-individual
    >>> but the bit on the end sends you off to the scam site.

    >>
    >> No it doesn't. The URL is faked. The message is in HTML format, and the
    >> link you see in the body of the message text is not the same as the
    >> actual URL attached to that text.

    >
    > Ah, of course.
    >
    >>> I didn't realize that was possible.

    >>
    >> The only way a genuine URL with the last bit modified could direct you
    >> to a scam site would be if the scammers had already got control of
    >> something on your computer, in your router, at your ISP, in a major
    >> router somewhere between your ISP and the real destination, or they had
    >> hacked the actual IRD web site.

    >
    > OK, so what I thought was happening in fact isn't possible.


    I got that one. They ask for my Debit card information. Hard luck, I don't
    have one.
    My refund if any always goes to my bank account.
    And why would the tax people ask for Driver's Licence information?
    An email to me would be addressed to my email not to admin govt etc.

    But they got the refund amount almost right. Good Guess?
     
    Geopelia, Jul 6, 2011
    #4
  5. Gib Bogle

    Donchano Guest

    On Wed, 06 Jul 2011 11:42:12 +1200, Gib Bogle <>
    shouted from the highest rooftop:

    >Well, I haven't seen it before. Sent supposedly by ,
    >but really by
    >
    >Dear Customer,


    I've received a dozen or so variations, but after I market it SPAM in
    my mail filter they've gone directly into my junk forlder. But I check
    that folder each day for false positives so I see the subject listed.
    I've also reported a couple to SpamCop.
     
    Donchano, Jul 6, 2011
    #5
  6. Gib Bogle

    Ralph Fox Guest

    On Wed, 06 Jul 2011 11:42:12 +1200, in message <iv07go$il9$>
    Gib Bogle wrote:

    > Well, I haven't seen it before. Sent supposedly by ,
    > but really by
    >
    > Dear Customer,
    >
    > After the last annual calculations of your fiscal activity, we have
    > determined that you
    > are eligible to receive a tax refund of 250.97 NZ Dollars. Please submit
    > the tax refund
    > request and allow us 2-3 days in order to process it.
    > Click link below to submit your tax refund request.


    I received a number of these several months ago, but I haven't
    seen any lately. Maybe the spammers are now onto the next CD
    of harvested email addresses.

    Several of the ones I received originated from NZ IP addresses;
    a couple on telecom adsl and one on another ISP. Probably 0wn3d
    computers; or that was my guess. The emails have long since been
    deleted, but at the it did cross my mind to post the IP addresses
    in here as a kind of "name and shame".

    --
    Kind regards
    Ralph
     
    Ralph Fox, Jul 6, 2011
    #6
  7. Gib Bogle

    Matty F Guest

    On Jul 6, 11:42 am, Gib Bogle <> wrote:

    > The interesting thing is that the first part of the URL is OK:http://www.ird.govt.nz/income-tax-individual
    > but the bit on the end sends you off to the scam site. I didn't realize
    > that was possible.


    What horrible browser or email client are you using that doesn't warn
    you that the displayed URL is not the same as the URL hidden under it?
     
    Matty F, Jul 6, 2011
    #7
  8. Gib Bogle

    Gib Bogle Guest

    On 7/6/2011 10:19 PM, Matty F wrote:
    > On Jul 6, 11:42 am, Gib Bogle<> wrote:
    >
    >> The interesting thing is that the first part of the URL is OK:http://www.ird.govt.nz/income-tax-individual
    >> but the bit on the end sends you off to the scam site. I didn't realize
    >> that was possible.

    >
    > What horrible browser or email client are you using that doesn't warn
    > you that the displayed URL is not the same as the URL hidden under it?


    Mozilla Thunderbird
     
    Gib Bogle, Jul 6, 2011
    #8
  9. In article <iv0e6q$d40$>, "Geopelia" <> wrote:
    (snip)

    >But they got the refund amount almost right. Good Guess?


    Most people in NZ would have been IR5 form filers, so are likely to be in
    the "a few hundred plus or minus category" should they happen work it out.
    Do the scammers know that ? ... probably not.

    It's also likely to be a number that's big enough to cause interest without
    being so big it arouses superstition. Basic marketing ploy. :)
     
    Bruce Sinclair, Jul 7, 2011
    #9
  10. In article <>, Kiwi <> wrote:
    (snip)

    >I received one about two months ago. Examining the email headers
    >revealed the phishing attempt. I sent the details to the real IRD
    >spam reporting section, including the registration details of the
    >actual return address domainholder.
    >
    >As usual with the IRD, they didn't even bother to respond. :(


    IRD have an email address ? ... that you can send things to without being
    'registered' with them ??
     
    Bruce Sinclair, Jul 7, 2011
    #10
  11. In article <>, Matty F <> wrote:

    (snip)

    >It looks like Thunderbird looked at having a phishing warning back in
    >2005 and never finished it.
    >
    >https://bugzilla.mozilla.org/show_bug.cgi?id=279191
    >
    >Eudora displays a caution when I hover over a phishing URL, like this:
    >The actual host [YYYYYY] is different from the host [XXXXXX] in the
    >link text


    ... and fair enough too, given your eyes can check that easily. :) :)
     
    Bruce Sinclair, Jul 7, 2011
    #11
  12. Gib Bogle

    Matty F Guest

    On Jul 7, 10:31 am, Gib Bogle <> wrote:
    > On 7/6/2011 10:19 PM, Matty F wrote:
    >
    > > On Jul 6, 11:42 am, Gib Bogle<> wrote:

    >
    > >> The interesting thing is that the first part of the URL is OK:http://www.ird.govt.nz/income-tax-individual
    > >> but the bit on the end sends you off to the scam site. I didn't realize
    > >> that was possible.

    >
    > > What horrible browser or email client are you using that doesn't warn
    > > you that the displayed URL is not the same as the URL hidden under it?

    >
    > Mozilla Thunderbird


    It looks like Thunderbird looked at having a phishing warning back in
    2005 and never finished it.

    https://bugzilla.mozilla.org/show_bug.cgi?id=279191

    Eudora displays a caution when I hover over a phishing URL, like this:
    The actual host [YYYYYY] is different from the host [XXXXXX] in the
    link text
     
    Matty F, Jul 7, 2011
    #12
  13. Gib Bogle

    Gib Bogle Guest

    On 7/7/2011 11:08 AM, Bruce Sinclair wrote:
    > In article<iv0e6q$d40$>, "Geopelia"<> wrote:
    > (snip)
    >
    >> But they got the refund amount almost right. Good Guess?

    >
    > Most people in NZ would have been IR5 form filers, so are likely to be in
    > the "a few hundred plus or minus category" should they happen work it out.
    > Do the scammers know that ? ... probably not.
    >
    > It's also likely to be a number that's big enough to cause interest without
    > being so big it arouses superstition. Basic marketing ploy. :)
    >


    superstition? ;-)
     
    Gib Bogle, Jul 7, 2011
    #13
  14. In article <iv2tmj$r7h$>, Gib Bogle <> wrote:
    >On 7/7/2011 11:08 AM, Bruce Sinclair wrote:
    >> In article<iv0e6q$d40$>, "Geopelia"<>

    > wrote:
    >> (snip)
    >>
    >>> But they got the refund amount almost right. Good Guess?

    >>
    >> Most people in NZ would have been IR5 form filers, so are likely to be in
    >> the "a few hundred plus or minus category" should they happen work it out.
    >> Do the scammers know that ? ... probably not.
    >>
    >> It's also likely to be a number that's big enough to cause interest without
    >> being so big it arouses superstition. Basic marketing ploy. :)
    >>

    >
    >superstition? ;-)


    :) ... funny isn't it ... I spent ages looking at that thinking it was wrong
    ... then did nothing about it. Could be ... or there could even be some
    suspicion as well ? :)
     
    Bruce Sinclair, Jul 7, 2011
    #14
  15. In article <>, Matty F <> wrote:
    >On Jul 7, 11:10 am,
    >(Bruce Sinclair) wrote:
    >> In article <>,

    > Matty F <> wrote:
    >> (snip)
    >> >It looks like Thunderbird looked at having a phishing warning back in
    >> >2005 and never finished it.

    >>
    >> >https://bugzilla.mozilla.org/show_bug.cgi?id=279191

    >>
    >> >Eudora displays a caution when I hover over a phishing URL, like this:
    >> >The actual host [YYYYYY] is different from the host [XXXXXX] in the
    >> >link text

    >>
    >> .. and fair enough too, given your eyes can check that easily. :) :)

    >
    >The computer can detect better than my eyes that these are all
    >different:
    >
    >ird lrd 1rd
    >
    >and sometimes the front of the URL looks valid but there are 30 blanks
    >after it follwed by a redirection to somewhere nasty.


    Eye tests perhaps ? :)
    As I typed earlier, look at the source code ... if you really must read
    email as html of course. I read emails as text, and it cuts out a lot of
    rubbish. :)
     
    Bruce Sinclair, Jul 7, 2011
    #15
  16. Gib Bogle

    Matty F Guest

    On Jul 7, 11:10 am,
    (Bruce Sinclair) wrote:
    > In article <>, Matty F <> wrote:
    >
    > (snip)
    >
    > >It looks like Thunderbird looked at having a phishing warning back in
    > >2005 and never finished it.

    >
    > >https://bugzilla.mozilla.org/show_bug.cgi?id=279191

    >
    > >Eudora displays a caution when I hover over a phishing URL, like this:
    > >The actual host [YYYYYY] is different from the host [XXXXXX] in the
    > >link text

    >
    > .. and fair enough too, given your eyes can check that easily. :) :)


    The computer can detect better than my eyes that these are all
    different:

    ird lrd 1rd

    and sometimes the front of the URL looks valid but there are 30 blanks
    after it follwed by a redirection to somewhere nasty.
     
    Matty F, Jul 7, 2011
    #16
  17. Gib Bogle

    Geopelia Guest

    "Bruce Sinclair" <> wrote
    in message news:iv2tfs$mfa$...
    > In article <>, Kiwi
    > <> wrote:
    > (snip)
    >
    >>I received one about two months ago. Examining the email headers
    >>revealed the phishing attempt. I sent the details to the real IRD
    >>spam reporting section, including the registration details of the
    >>actual return address domainholder.
    >>
    >>As usual with the IRD, they didn't even bother to respond. :(

    >
    > IRD have an email address ? ... that you can send things to without being
    > 'registered' with them ??
    >


    I kept asking them for an IR3 and nothing happened. Then I phoned them and
    got one in the post a few days later. We are registered now.
    But now they tell me I don't need to send an IR3, (I've sent ours in
    anyway), but there's something else I can claim our imputation credits on
    for next year. I have to be Hubby's nominated person to do his.
    Our tax agent wanted over $200 EACH to do our tax! Just Super and three
    shares, plus bank interest.
    So I'll be doing it myself from now on.
     
    Geopelia, Jul 7, 2011
    #17
  18. Gib Bogle

    Geopelia Guest

    "Bruce Sinclair" <> wrote
    in message news:iv2tdu$mfa$...
    > In article <iv0e6q$d40$>, "Geopelia" <>
    > wrote:
    > (snip)
    >
    >>But they got the refund amount almost right. Good Guess?

    >
    > Most people in NZ would have been IR5 form filers, so are likely to be in
    > the "a few hundred plus or minus category" should they happen work it out.
    > Do the scammers know that ? ... probably not.
    >
    > It's also likely to be a number that's big enough to cause interest
    > without
    > being so big it arouses superstition. Basic marketing ploy. :)
    >


    The Nigerian scam is getting bigger. Now they offered me Billions!
     
    Geopelia, Jul 7, 2011
    #18
  19. Gib Bogle

    Matty F Guest

    On Jul 8, 12:13 am, "Geopelia" <> wrote:

    > I kept asking them for an IR3 and nothing happened. Then I phoned them and
    > got one in the post a few days later. We are registered now.
    > But now they tell me I don't need to send an IR3, (I've sent ours in
    > anyway), but there's something else I can claim our imputation credits on
    > for next year. I have to be Hubby's nominated person to do his.
    > Our tax agent wanted over $200 EACH to do our tax! Just Super and three
    > shares, plus bank interest.
    > So I'll be doing it myself from now on.


    It it now quite easy to do an IR3 online.
    IRD fill in most of the form for you.
    Just put in your interest and dividend amounts.
    The AECT don't make their dividend details clear, and they take out
    far too much tax, so everyone needs to do an IR3 just to get that
    back.

    The details are:
    Imputation Credit 140.51
    RWT deducted 14.05
    Gross Taxble dividend 468.37
     
    Matty F, Jul 8, 2011
    #19
  20. Gib Bogle

    Donchano Guest

    On Fri, 8 Jul 2011 00:16:38 +1200, "Geopelia" <>
    shouted from the highest rooftop:

    >
    >"Bruce Sinclair" <> wrote
    >in message news:iv2tdu$mfa$...
    >> In article <iv0e6q$d40$>, "Geopelia" <>
    >> wrote:
    >> (snip)
    >>
    >>>But they got the refund amount almost right. Good Guess?

    >>
    >> Most people in NZ would have been IR5 form filers, so are likely to be in
    >> the "a few hundred plus or minus category" should they happen work it out.
    >> Do the scammers know that ? ... probably not.
    >>
    >> It's also likely to be a number that's big enough to cause interest
    >> without
    >> being so big it arouses superstition. Basic marketing ploy. :)
    >>

    >
    >The Nigerian scam is getting bigger. Now they offered me Billions!


    Inflation.
     
    Donchano, Jul 8, 2011
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Thompson

    New Ebay Scam

    Michael Thompson, Jul 27, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    478
    Jimchip
    Jul 27, 2003
  2. Richard
    Replies:
    11
    Views:
    679
    TRADESMAN
    Nov 8, 2003
  3. New scam warning.

    , Mar 18, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    451
  4. Del March

    "Unrated": the new scam

    Del March, Sep 7, 2004, in forum: DVD Video
    Replies:
    15
    Views:
    1,175
    Tarkus
    Sep 13, 2004
  5. Cash4gold Scam Ripoffreport.com Scam

    , May 27, 2009, in forum: Digital Photography
    Replies:
    3
    Views:
    3,142
    BadForPeople
    May 5, 2012
Loading...

Share This Page