Tax Season Phishing

Recently, we came across a phishing document impersonating Form 1040. This is an IRS tax form filed by residents in the United States during the tax season. Attackers usually take advantage of the tax season and distribute their malicious files while masquerading as legitimate forms and documents.

In our case, the PDF document was called “2018 1040 Tax Forms5.pdf” and was uploaded to Google Drive. In addition to its misleading name, victims may be less suspicious of this document since it is available from a legitimate Google service.

Surprisingly, the document contains three links:

  • hxxp://tny[.]sh/dNoT2Qe
  • hxxp://go2l[.]ink/1tL7
  • hxxps://ondrivefile[.]org/review

The first two links are no longer active and might have been left there from previous versions of this document. Clicking on the “View Files On OneDrive” button leads to the third link, which is still active, and impersonates a OneDrive login page:

Accessing the homepage of ondrivefile[.]org shows that this website has directory listing enabled,

This allows us to see the available directories and files in this website, including an archive called “newoffice.zip” which is the phishing kit being used. Looking at the source code of the phishing kit, we found out that it was supposedly created by someone who uses the avatar “RuleByGunz”:

Looking up this avatar online did not yield any interesting results, nor did it lead us to a real individual. One of the PHP scripts in the phishing kit archive shows that after the credentials are stolen, they are sent to the attacker via e-mail:

The attacker’s e-mail in this case is [email protected][.]com:

Attackers using this phishing kit are instructed by its authors to add their e-mail address to the code in order to receive the stolen credentials. The authors include a “user’s guide” or a “manual” in the phishing kit to instruct the attackers on how to use it”

Interestingly enough, this was the only place where the phishing kit authors used a different avatar than “RuleByGunz” and referred to themselves as “Mircboot”. Looking up this avatar led us to accounts in multiple hacking forums:

In addition, we found websites where Mircboot was promoting their services and offering things such as spamming tools, stealers and more:

We managed to find multiple websites associated with Mircboot, and which have been involved in phishing attacks in the past.

Attacker’s Malicious Artifacts:

ondrivefile[.]org

ondrivefile[.]com

ondrivefile[.]co

ondrivefile[.]net

1nedrivelive[.]live

[email protected][.]com

Phishing Kit Authors’ Malicious Artifacts:

ephonepremium[.]com

h4ckingsh3lls[.]com

fud007[.]com

c99shells[.]com

keyfinhome[.]com

toolstuff[.]me

[email protected][.]com

[email protected][.]com