Header Ads

FIRS Scam Email


A scam email purportedly from the Federal Inland Revenue Service has been making the rounds. It was picked up by SCAM DEX , an online site dedicated to fighting internet fraud.

Below are the email components:

Subject:  TAX CLEARANCE
From:  "eservices@firs.gov.ng" <eservices@firs.gov.ng>
Date:  Tue, 11 Dec 2018 07:14:47 - 0500

Body: please be informed that your Tax clearance has been issued and is now available
 for download.

Download the attached Tax clearance certificate, Your official TCC Number is 10048500


Thank you for using the online TCC Portal.

Note: This is a system generated mail. Please DO NOT reply to this email
CONFIDENTIALITY NOTICE: This e-mail message (including any attached documents) is intended for the
exclusive and confidential use of the individual or entity to which this message is addressed. The
contents is confidential and privileged information of FIRS. Any dissemination, distribution,
copying or alteration of the enclosed content is unlawful and prohibited

Below is a screen grab of the full email header as seen on SCAM DEX



ANALYSIS

The first thing you notice about the body of the email is that it isn’t addressed to the recipient in particular, this is always a red flag. While scammers often engage in targeted campaigns, a lot of them prefer to play the game of numbers, hoping that in sending to large numbers of people, the chance of success is increased.

Looking at the full email header, you can clearly see that the email address has been spoofed. The message-id field says <20181211094059.11CE2FEC1A@mailhost.andebio.fr>, the rule about message ids is that “If a message was purportedly sent by a certain email program but does not have a message id created by that program, it has obviously been forged.” We can clearly see from the message-id that the originating host is not firs.gov.ng but andebio.fr

Furthermore, looking back at the message body in combination with the message header, we see what the scammers were trying to achieve. In the message header we see:

reply-to:
eservices@firs.gov


Running the address eservices@firs.gov through an email validator we get:

Domain 'firs.gov' does not exist.
 MX record about 'firs.gov' does not exist.
This shows us that the reply email does not exist, hence the scammers are not expecting a reply. Their aim is rather revealed in the body of the message which reads “Download the attached Tax clearance certificate
Hence this email must have come with an attachment, which will no doubt contain a malicious payload. This payload might be a keylogger or Trojan or a combination of both, which will give the attacker a backdoor to control the victims PC.

Finally, though most people receiving this mail will know it is not intended for them, or might be suspicious, the way this phishing email is set up, there is a chance that some people might open the attachment due to curiosity. It goes without saying that you should never open an email attachment that was not meant for you or that you don’t know the sender, the best bet is to delete the email.

No comments

Powered by Blogger.