UPDATE (August 12, 2022): This article was updated to add information about a new phishing email.

 

Even though the deadline to file taxes in Canada already passed on May 2nd, 2022, some people may have filed late or are still expecting their refund. Perhaps that’s why I received a phishing email yesterday purporting to come from the Canada Revenue Agency (CRA) and promising a refund of nearly CAD$500:

Figure 1. A phishing email offering a refund from the CRA

Aside from the blunder of using guidovedebe@skynet.be as the From: address of the email, this is not how the CRA communicates. If you are using a My Service Canada Account, you should expect to receive a notification that looks like this:

Figure 2. An example of legitimate correspondence from the CRA

Understanding how phishers abuse links in emails, the CRA has taken the wise strategy of not providing links in official correspondence and instead instructing clients to navigate on their own to the official website.

If, however, you do click on the “Interac e-Transfer Autodeposit” button, you are redirected from a malicious link hosted on istandyjeno[.]hu to the malicious subfolder cra_ca_service hosted on oraclehomes.com:

Figure 3. A phishing website offering a tax refund from the CRA

The operators behind this campaign have done a fairly good job of creating a legitimate-looking page, but there are still some signs of the scam. For example, the footer of a legitimate page looks like this:

Figure 4. The footer of the legitimate canada.ca/en/services/taxes/income-tax/personal-income-tax.html

Furthermore, the menu items on the phishing page lead nowhere:

Figure 5. The menu links on the phishing page lead nowhere

Clicking on “Jobs” simply populates the URL with the value of the id attribute of the HTML element for “Jobs”.

Next, if you click on the “Proceed” button on the opening page, the next page asks for your personal information, including your social insurance number, date of birth, and mother’s maiden name – indeed, everything a phisher would need for identity theft:

Figure 6. The first phishing form asks for personal information – enough for identity theft

If a victim then clicks on the “Continue” button, the next page asks for your credit card information:

Figure 7. The second phishing form asks for credit card information

The final page falsely confirms that your refund will be deposited to your credit card account within 5-10 business days:

Figure 8. The confirmation page of the phishing site

Finally, you are redirected to a legitimate CRA webpage:

Figure 9. The legitimate “Personal income tax” page of the CRA website

The same redirection happens if you attempt to navigate directly to the cra_ca_service subdirectory of the site.

ESET blocks these threats as a phishing attempt:

Figure 10. ESET blocks the malicious istvandyjeno[.]hu domain

Figure 11. ESET blocks the malicious oraclehomes[.]com/cra_ca_service site

UPDATE:

On August 12, 2022, I received another phishing email posing as the CRA:

Figure 12. Another phishing email offering a refund from the CRA

Curiously, the apparent sender this time is marcamand@skynet.be, which uses the same email service as the previous sender guidovedebe@skynet.be.

Clicking on any of the links in this email redirects from a malicious link hosted on szobafestes-azonnal[.]eu to the malicious subfolder cra_ca_service hosted on uudamspa[.]vn:

Figure 13. The same phishing forms are used as in the previous campaign

The phishing forms in this attack look exactly the same as in the previous campaign. Is this the same attacker? Maybe. In any case, ESET blocks this threat too:

Figure 14. ESET blocks the malicious szobafestes-azonnal[.]eu domain

Figure 15. ESET blocks the malicious uudamspa[.]vn domain

Interestingly, the home page of szobafestes-azonnal[.]eu advertises a hacker group called 1877 Team:

Figure 16. The domain szobafestes-azonnal[.]eu leads to a landing page for the 1877 Team hacker group

Phishing in perspective

According to the ESET Threat Report T1 2022, approximately a third of the phishing URLs detected in the first four months of 2022 impersonated financial organizations. But there are other popular contenders for phishing lures, such as fake Facebook and WhatsApp login pages and websites masquerading as email services and gaming platforms:

Figure 17. Top 10 phishing website categories in the first four months of 2022 by number of unique URLs (source: ESET telemetry)

Although, in this case, the malicious operators targeted the credit card and personal information of Canadians, phishing can encompass a variety of goals like ransomware downloads, banking trojans, cryptojacking malware, and botnet deployments. Therefore, keep in mind the following advice to spot and steer clear of this threat:

  • Consider whether the purported sender normally communicates via email in this way.
  • Rather than clicking on links in an email, it is better to navigate manually to the official website of the apparent sender.
  • Check for obvious mistakes in the email. For example, why would the Canada Revenue Agency send you email from guidovedebe@skynet.be?
  • Always be wary of sharing your personal and financial information with any webpage.
  • Familiarize yourself with the CRA scam alerts page, especially with the samples of fraudulent emails impersonating the CRA.