This morning I received an email purporting to be a communication from the Canada Revenue Agency. It turned out to be scam trying to gather credit card information. But it took a rather roundabout way of getting there ...
Stage 1: The email message
A red flag here: the greeting line uses the mail address. Actual correspondence from the CRA would use either “Cher Blue” or “Monsieur, Madame”. The URL is also subtly wrong; for the French version of the CRA the URL is www.canada.ca/fr/ ...
Partial translation:
Stage 2: The PDF
The URL above actually pointed to https://t.co/ec0UVVXwZQ. It served up a PDF that required a password to open, said password being 031187. The text of the PDF was as follows:
Translation:
This is a huge red flag. The CRA doesn't need anyone to fill out a “tax refund form.” It automatically sends refunds once the return has been processed, via direct deposit if it has information on file, or by mailing a cheque to the address specified on the taxpayer's return.
Stage 3: The redirect
The link at “JE CONSULTE LES DÉMARCHES A SUIVRE” went to https://www.washtogo.ae/wp-content/DE.html.
That, in turn, consisted only of a <meta> tag:
Stage 4: The remarkably simple CAPTCHA
The page above redirected to https://pdf.name/canada/MyCra/confirmation.php, which asked for a CAPTCHA that was remarkably easy to read, and consisted of the text 031187 (the same as the password on the PDF.) The same number appeared regardless of the nummber of times the page was reloaded. At least it verified the input; entering anything other than 031187 returned an error.
Stage 5: The fake login page
It then redirected to the following URL:
Trying with a differnt browser showed a different customer_LoginCMD but an identical session number. Playing around with those numbers didn’t seem to break anything.
Chromium recognized the page was in French and asked if I wanted it translated. Because I can puzzle out only about 30% of any given French text, I chose English. The page read:
The three links at the bottom (Legal, Terms and Conditions, Privacy) all returned me to the above page. Not very sophisticated.
Needless to say, no matter what I used for an email address (aragorn@minas-tirith.gondor.me) or password (valaquenta) I was let in.
Stage 6: Credit card information
The login redirected to (spaces added for readability):
Like the page in stage 5, I got the same page back regardless of any changes to the CGI values:
The page accepted without question any set of random numbers I put in for the credit card number, such as 4504 0000 0000 0000. That indicates the programmers didn’t attempt to validate the check digit, which is the final digit of the card number and is computationally dervied from the other 15. Nor did it catch the fact I entered an expiry date from last year.
Stage 7: The frustrating 3D Secure confirmation page
The credit card information page redirected to https://pdf.name/canada/MyCra/v1/D_information.php, with CGI parameters &name=, &email=, &card number=, &phone=, &bank= (the programming was advanced enough to, sometimes, figure out the name of the issuing bank from the card number.)
It displayed a facsimile of a 3D Secure verification page:
Of course, no matter the content entered for the Verification Code, the page always returned:
Error: The verification code you entered does not match our records. Please try again.
As a test, I gave a little-used email address I have at ProtonMail to see if the site was sophisticated enough to actually send a validation code, but never received a message.
Analysis: pretty good, but there are holes
The most glaring thing I saw the page that gathers credit card information performed only the most rudimentary checks on the entered information. It did check for empty fields, letters where there should have been numbers, and the length of the credit card number. But it didn't validate the check digit on the credit card, nor did it catch an expired card.
As of the time I created this thread all the links are still working. I encourage as many of you as possible to play with this and give them a boat load of bad information.
Stage 1: The email message
Quote:
From: Agence du Revenu du Canada / Canada Revenue Agency <centre@psycho-solutions.qc.ca> To: blue_mountain@internationalskeptics.com Date: 2022-05-06 3:01 A.M. Bonjour blue_mountain@internationalskeptics.com Nous vous invitons à prendre connaissance du document ci-joint et d’y donner suite s’il y a lieu. Cliquez le lien suivant : canada.ca/agence-revenu/services/impot/particuliers/Doc/ Code d’accès Document : 031187 Pour tout renseignement additionnel, n’hésitez pas à communiquer avec nous.  AVIS DE CONFIDENTIALITÉ _ Ce message peut contenir de l’information légalement privilégiée ou confidentielle. Si vous n’êtes pas le destinataire ou croyez avoir reçu par erreur ce message, nous vous saurions gré d’en aviser l’émetteur et d’en détruire le contenu sans le communiquer à d’autres personnes ou le reproduire. Vous ne souhaitez pas recevoir par messagerie électronique de l’information sur les produits et services, les nouveautés, les offres spéciales et les promotions de La Capitale? Retirez votre consentement |
A red flag here: the greeting line uses the mail address. Actual correspondence from the CRA would use either “Cher Blue” or “Monsieur, Madame”. The URL is also subtly wrong; for the French version of the CRA the URL is www.canada.ca/fr/ ...
Partial translation:
Quote:
We invite you to read the attached document and follow up if necessary. Click the following link: canada.ca/revenue-agency/services/tax/individuals/Doc/ Document access code: 031187 For any additional information, do not hesitate to contact us. |
Stage 2: The PDF
The URL above actually pointed to https://t.co/ec0UVVXwZQ. It served up a PDF that required a password to open, said password being 031187. The text of the PDF was as follows:
Quote:
Notification d’impôts Remboursement Après les derniers calculs annuels de l’exercice de votre activité, nous avons déterminé que vous êtes admissible à recevoir un remboursement d’impôt de 486,40 C Veuillez nous soumettre s’il vous plait la demande de remboursement d’impôt pour nous permettre de la traiter dans le plus bref délai (le délai de traitement est de 10 jours ouvrable) Pour accéder au formulaire de votre remboursement d’impôt J E C O N S U L T E L E S D É M A R C H E S A S U I V R E Un remboursement peut être retardé pour diverses raisons. Par exemple la soumission de dossiers non valides ou inscriptions après une certaine limite. |
Translation:
Quote:
Tax Notification Refund After the final annual calculations for your business year, we have determined that you are eligible to receive a C486.40 tax refund. Please submit the tax refund request to us so we can to process it as soon as possible (the processing time is 10 working days.) To access your tax refund form: I CONSULT THE STEPS TO FOLLOW A refund may be delayed for various reasons. For example submitting invalid records or registrations after a certain limit. |
This is a huge red flag. The CRA doesn't need anyone to fill out a “tax refund form.” It automatically sends refunds once the return has been processed, via direct deposit if it has information on file, or by mailing a cheque to the address specified on the taxpayer's return.
Stage 3: The redirect
The link at “JE CONSULTE LES DÉMARCHES A SUIVRE” went to https://www.washtogo.ae/wp-content/DE.html.
That, in turn, consisted only of a <meta> tag:
Code:
<meta http-equiv="refresh" content="0;URL=https://pdf.name/canada/MyCra/">
Stage 4: The remarkably simple CAPTCHA
The page above redirected to https://pdf.name/canada/MyCra/confirmation.php, which asked for a CAPTCHA that was remarkably easy to read, and consisted of the text 031187 (the same as the password on the PDF.) The same number appeared regardless of the nummber of times the page was reloaded. At least it verified the input; entering anything other than 031187 returned an error.
Stage 5: The fake login page
It then redirected to the following URL:
Quote:
https://pdf.name/canada/MyCra/v1/A_information.php ?customer_LoginCMD=362 &session=2949842498498448554554 |
Chromium recognized the page was in French and asked if I wanted it translated. Because I can puzzle out only about 30% of any given French text, I chose English. The page read:
Quote:
Access my Customer Area Email Address: [__________________________________________________] Password: * [__________________________________________________] [_] Remember my email address [Open Session] © Canada, 1996-2022 All rights reserved. _ Legal | Terms and Conditions | Privacy |
Needless to say, no matter what I used for an email address (aragorn@minas-tirith.gondor.me) or password (valaquenta) I was let in.
Stage 6: Credit card information
The login redirected to (spaces added for readability):
Quote:
https://pdf.name/canada/MyCra/v1/B_information.php ?enc=eac16c8cffa2436d0eb04e11ede2cc10 &p=0 &dispatch=1d35cc0886aa4ea87f6966f95160fbc9df193 f60 &session=eac16c8cffa2436d0eb04e11ede2cc10 |
Quote:
[Logo] Safe & Secure Refund Information ! You must add an account to receive your refund All fields are mandatory. Cards Accepted: [Image:VISA] [Image:MasterCard] [Image:American Excress] Last name and first name: [Enter your full name] Bank card number: [Enter your card number] Expiration date: [Format: 05 / 23] CVV / CVC: [***] Phone number: [Enter your phone number] [Submit] © Canada, 1996-2022 All rights reserved. _ Legal | Terms and Conditions | Privacy |
Stage 7: The frustrating 3D Secure confirmation page
The credit card information page redirected to https://pdf.name/canada/MyCra/v1/D_information.php, with CGI parameters &name=, &email=, &card number=, &phone=, &bank= (the programming was advanced enough to, sometimes, figure out the name of the issuing bank from the card number.)
It displayed a facsimile of a 3D Secure verification page:
Quote:
3D Secure Safety Online Complete this authenticating by entering the confirmation code received on your phone or email. Complétez cette authentification en entrant le code de confirmation reçu sur votre téléphone ou par e-mail. Bank Name (if the processing was able to figure it out) Name on card: [text passed in name=] Card Number: [text passed in card_number=, all but last 4 X’d out] Date & time: [from the server clock, GMT] Phone: [text passed in phone=, all but last 4 *d out] Verification Code / Code de vérification: [__________] |
Error: The verification code you entered does not match our records. Please try again.
As a test, I gave a little-used email address I have at ProtonMail to see if the site was sophisticated enough to actually send a validation code, but never received a message.
Analysis: pretty good, but there are holes
The most glaring thing I saw the page that gathers credit card information performed only the most rudimentary checks on the entered information. It did check for empty fields, letters where there should have been numbers, and the length of the credit card number. But it didn't validate the check digit on the credit card, nor did it catch an expired card.
As of the time I created this thread all the links are still working. I encourage as many of you as possible to play with this and give them a boat load of bad information.
via International Skeptics Forum https://ift.tt/nSdlYju
Aucun commentaire:
Enregistrer un commentaire