A dangerous, live IRS phish -- and the abuse desks are closed

I think everyone involved in malware takedown is getting very tired of ISPs who don’t have 7 day abuse desks.

Take, for example, one very dangerous IRS phish making the rounds right now. It’s another in a number of targeted attacks we’ve been observing lately.

[BEGIN EMAIL SAMPLE]

Subject: Tax Information - (individual’s name) - (Code individual’s email address-plus a sequence of codes)

From: "IRS.gov"

Date: Sat, 16 Jun 2007 10:35:49 -0400

To: (individual’s email address)

Account : (individual’s name)

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $163.80. Please submit the tax refund request and allow us 3-5 days in orders to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records of applying after the deadline.

To access the form for your tax refund, please click here.

Regards,

Internal Revenue Service

[END EMAIL SAMPLE]

This phish is unique displays the recipients correct name and email address on the To: and Subject line. But the real kicker is this — embedded in the URL is the recipient’s email address, and when the recipient connects to the website, the website pulls up the recipients actual name, email and street address and displays that in the form!

http www sunbelt software com ihs alex Phish 326 victim data thumb1 jpg

So not only is the email targeted, but there's a complete back end database containing information on the intended victim. The site is obviously prompting for credit card information.

Here’s what’s frustrating: The site is hosted by Earthlink. Already, attempts have been made to get this site shut down, to no avail. As the person doing the takedown says “I was told that the only people permitted to shut the site down is the abuse team, and they don't work nights/weekends/holidays.”

So Earthlink will let hundreds, possibly thousands of people get phished over the weekend, because they can’t have even one person manning their abuse desk on the weekend.

What’s ironic is that often the smaller ISPs are the ones that are the fastest to react. The big ones, especially ones like Yahoo and AT&T, make it monumentally difficult just to get an actual phone number for them.

And in cases like this, it’s critical to be able to react rapidly.

My feeling? ISPs must have a basic level of security credentials and 7–day abuse service.

This has to stop. Really.