Phishing scam impersonates Canadian tax agency ahead of Canada Day

Preparing for Canada Day festivities resulted in a tax scam

Even if the deadline for filing your taxes in Canada has already passed on May 2n/a, 2022, some people may have applied late or are still waiting for their refund. Maybe that’s why I received a phishing email yesterday claiming to be from the Canada Revenue Agency (CRA) and promising a refund of nearly C$500:

Figure 1. Phishing email offering CRA refund

Aside from user error [email protected] like the email sender address, it’s not how the CRA communicates. If you are using a My Service Canada Account, you should expect to receive a notification that looks like this:

Figure 2. Example of legitimate CRA correspondence

Understanding how phishers abuse links in emails, the CRA has adopted the wise strategy of not providing links in official correspondence and instead asking customers to navigate to the official website on their own.

However, if you click on the “Interac e-Transfer Autodeposit” button, you are redirected from a malicious link hosted on standyjeno[.]uh to malicious subfolder cra_ca_service hosted on oraclehomes.com:

Figure 3. A phishing website offering a tax refund from the CRA

The operators behind this campaign have done a pretty good job of creating a legit-looking page, but there are still signs of a scam. For example, the footer of a legitimate page looks like this:

Figure 4. The footer of the legitimate canada.ca/en/services/taxes/income-taxes/personal-income-taxes.html

Also, the menu items on the phishing page lead nowhere:

Figure 5. Menu links on phishing page lead nowhere

Clicking on “Jobs” simply fills the URL with the value of the identifier HTML element attribute for “Jobs”.

Then, if you click the “Continue” button on the homepage, the next page asks for your personal information, including your social insurance number, date of birth, and mother’s maiden name – indeed, everything a phisher would need for identity theft. :

Figure 6. The first form of phishing asks for personal information – enough for impersonation

If a victim then clicks the “Continue” button, the next page asks for your credit card information:

Figure 7. The second phishing form asks for credit card information

The last page incorrectly confirms that your refund will be deposited into your credit card account within 5-10 business days:

Figure 8. Phishing site confirmation page

Finally, you are redirected to a legitimate CRA web page:

Figure 9. The legitimate “Personal income tax” page on the CRA website

The same redirect occurs if you attempt to navigate directly to the cra_ca_service site subdirectory.

ESET blocks these threats as a phishing attempt:

Figure 10. ESET blocks malware istvandyjeno[.]uh domain

Figure 11. ESET blocks malware oraclehomes[.]com/cra_ca_service to place

Phishing in perspective

According to the ESET Threat Report Q1 2022, around a third of phishing URLs detected in the first four months of 2022 impersonated financial organisations. But there are other popular contenders for phishing lures, such as fake Facebook and WhatsApp login pages and websites posing as messaging services and gambling platforms:

Figure 12. Top 10 phishing website categories in the first four months of 2022 by number of unique URLs (source: ESET telemetry)

Although in this case the malicious operators targeted Canadians’ credit card and personal information, phishing can encompass a variety of purposes such as ransomware downloads, banking trojans, cryptojacking malware and botnet deployments. Therefore, keep the following tips in mind to spot and avoid this threat:

  • Determine if the alleged sender normally communicates via email in this manner.
  • Rather than clicking on links in an email, it is better to manually navigate to the official website of the apparent sender.
  • Check for obvious errors in the email. For example, why would the Canada Revenue Agency send you an email [email protected]?
  • Always be wary of sharing your personal and financial information with any web page.
  • Familiarize yourself with the CRA Scam Alerts Pageespecially with the samples fraudulent emails impersonating the CRA.

Esther L. Steinbach