2014.07.21: Phishing Attempt, "Verify Your Return Status(IRS.gov)"

Update: A second phishing attempt was received the morning of July 22nd.  We have contacted the source to have them take actions to secure their users accounts. As would be expected the contents of this message are the same as the first; please do not engage the message.

phishing_alert.jpg

Just before 1PM on July 18th, 2014, a number of CalArts email accounts received a message with the subject line "Verify Your Return Status(IRS.gov)":

VerifyYourReturnStatus.jpg

The link contained in this message goes to a Google Form titled "IRS.GOV":

VerifyYourReturnStatus-form.jpg

This is a phishing scheme designed to trick its recipient into divulging personal information.  If you entered in your personal information before realizing the form was not valid please contact IT as soon as possible.

Below is the raw email data:

Delivered-To: xxxxxxxx@calarts.edu
Received: by 10.96.100.165 with SMTP id ez5csp153503qdb;
Mon, 21 Jul 2014 12:55:21 -0700 (PDT)
X-Received: by 10.66.227.73 with SMTP id ry9mr28278151pac.18.1405972521386;
Mon, 21 Jul 2014 12:55:21 -0700 (PDT)
Return-Path: <kej5@njit.edu>
Received: from psmtp.com (na3sys009amx219.postini.com [74.125.149.59])
by mx.google.com with SMTP id os2si969632pdb.301.2014.07.21.12.55.15
for <xxxxxxxx@calarts.edu>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 21 Jul 2014 12:55:21 -0700 (PDT)
Received-SPF: neutral (google.com: 74.125.149.59 is neither permitted nor denied by domain of kej5@njit.edu) client-ip=74.125.149.59;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 74.125.149.59 is neither permitted nor denied by domain of kej5@njit.edu) smtp.mail=kej5@njit.edu
Received: from mail-we0-f195.google.com ([74.125.82.195]) (using TLSv1) by na3sys009amx219.postini.com ([74.125.148.10]) with SMTP;
Mon, 21 Jul 2014 19:55:16 GMT
Received: by mail-we0-f195.google.com with SMTP id p10so2814259wes.10
for <xxxxxxxx@calarts.edu>; Mon, 21 Jul 2014 12:55:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:sender:date:message-id:subject:from
:to:content-type;
bh=EmySBXQ8vCM8xExfZWyuC5wGtf3B/pxFKx8cmb0Z9JA=;
b=P39l/tT0X2wrsvH4DoyS3w8bXe/AkpMe3Lr6d13MTwzbj85xW70YK2Rn6lF8iwTaKu
1Ee1mwF+qRIVx6RsaXMpSf8fEwJHrNCHrEdIpAbZ5bm4LY/oE4onqkuXOaPyzMeZzetf
OLCqar2r7TTIImEr7koglPg80qZuUZsvRvzVGOr9WlErJ63iyLOqJnNzLq4YcTvKBNrI
ET9XFaisCBju6kTuOyqoI3YTZiSraPmgXM2nWnkhveIsE+RQ7RCsnTPr3Z/3Kplhr6tP
W1HoVH/a8giuRPEw1LCzaX4m3TNoQefXiU5CfKM0jcF1FKC8PSfGhilD6jHInUyG88Z+
XQeQ==
X-Gm-Message-State: ALoCoQl/wUfXYlOr5DtgqnNeo5dtrsdwwwf4jk/9jy4kz5vLIEB1RKDRrgUy9t5hsxkdmdkHEjHB
MIME-Version: 1.0
X-Received: by 10.180.91.225 with SMTP id ch1mr7819135wib.34.1405972511286;
Mon, 21 Jul 2014 12:55:11 -0700 (PDT)
Sender: kej5@njit.edu
Received: by 10.194.62.77 with HTTP; Mon, 21 Jul 2014 12:55:11 -0700 (PDT)
Date: Mon, 21 Jul 2014 11:55:11 -0800
X-Google-Sender-Auth: InCTu2KJiwtx9l4QxAnV4WV2d4A
Message-ID: <CA+Y7p34HAfWpWjtfXD0Gcj42_GvsE4c+8AJJSrPjjaJ2NJjBhQ@mail.gmail.com>
Subject: Verify Your Return Status(IRS.gov)
From: "IRS.gov" <irs.gov-irs@outlook.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=f46d04374a0519753404feb97c7f
Bcc: xxxxxxxx@calarts.edu
X-pstn-dkim: 0 skipped:not-enabled

--f46d04374a0519753404feb97c7f
Content-Type: text/plain; charset=UTF-8

IRS.gov

Update your IRS E-file immediately, click here to -
*< Update >
<https://docs.google.com/forms/d/1LdPsQ6QCL_DL3m16bGXjUhdCvQp2MCQl2RuGBjAEAWQ/viewform?usp=send_form>
**For your protection, this link would expire in six hours.*

--f46d04374a0519753404feb97c7f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">IRS.gov<br>
<br>
Update=C2=A0<span style=3D"font-size:small;font-family:Helvetica,Arial,sans=
-serif;color:rgb(0,0,0);line-height:15px">your=20
IRS E-file immediately, click here to -=C2=A0=C2=A0</span><b style=3D"font-=
size:small;font-family:Helvetica,Arial,sans-serif;color:rgb(204,0,0);line-h=
eight:15px"><span style=3D"text-decoration:underline"><a class="3D""" style=
=3D"color:rgb(0,104,207)" href=3D"https://docs.google.com/forms/d/1LdPsQ6QC=
L_DL3m16bGXjUhdCvQp2MCQl2RuGBjAEAWQ/viewform?usp=3Dsend_form" rel=3D"nofoll=
ow" target=3D"_blank"><span style=3D"color:rgb(51,51,255);line-height:norma=
l">&lt; Update &gt;</span></a>


<br>

 


</span></b><b>For your=20
protection, this link would expire in six hours.</b></div>

--f46d04374a0519753404feb97c7f--

Have more questions? Submit a request

Comments

Please sign in to leave a comment.