We all receive a lot of Phishing Scam Mails everyday and thanks to the mail spam filters[gmail in my case] we never get to see them as they are directly marked spam by your mail client. However, sometimes they do make it to your inbox and they look very real.
I received a similar phishing email from Income Tax Department today. The email id from which it came from was really authentic and hence I was intrigued about the possibility of it being fake. It quoted a income tax amount which looks reasonable and also had the logo of Indian Income Tax Department.
However, with all the authenticity the mail still looked fake, but just to prove that it indeed was fake, I went about exploring the mail headers informations which gmail nicely provides us. And that is where the bad guy[I would hate to call him a Hacker] made the mistake. Actually he didn’t he just went about the traditional way of email spoofing. The bad guy used an address from the incometaxindiafiling.gov.in which apparently doesn’t exist. The email id was firstname.lastname@example.org however the interesting part of it was the VIA field which gmail attaches which gave me the info that the email is send from some free hosting account. A quick look at the email header revealed the following information:
Phishing Mail Header by Gmail
The mail had a link to submit the tax refund. The body of the mail looked like this:
Phishing Mail Body
I copied the Link Address specified in the mail and opened it in the incognito window[I would suggest people to use the same to safeguard against cookie stealing attacks]. The original site for tax collection looked like this:
Phishing Tax Site
And on choosing a bank [I choose Axis Corporate Bank for testing, never disclose your original bank name =)] We get a pretty good looking login page which again looks very familiar.
Axis Corporate Bank Phishing Page
Interestingly the page works for anything which you type as username and password. So you can type in what ever you want. Also before going to payment Google Chromes does inform you that the site is reported for phishing. Apparently the original domain of this site runs an online shopping site: http://vizuw.com.br/, which I suspect is also a site aimed at stealing your credit card information and I would want to report that for phishing. [Any idea on how to report sites for phishing].
On the final note I did some research about the ip of the site and found out that it is hosted in US on media temple server and doing a whois revealed the following details about the server.
DomainWhois for Phishing site
Finally, I did mark the mail as spam in my gmail and will hope that google learns and spams other such mails in future. I would just like to remind everyone to follow anti phishing guidelines while browsing and to double check the domain name as well as other security warning from banks while performing any online transaction.
Just remember, NO BANK WILL EVER EMAIL YOU ASKING ABOUT YOUR PASSWORD.
Wishing everyone a safe and happy browsing experience =) Do leave a comment as I would love to read your feedback =)