Germans are well-known for accurate bureaucracy and tax payers have to file their income tax statement by the end of May. It is not surprising that attackers jump that opportunity now, as they do with several other special occasions during the year, such as the EURO 2012 or repeated holiday-related spam.
Tax payers are currently waiting for their tax office’s feedback and the fake email sent to users’ inboxes suggests being a legitimate feedback with a promised tax refund of almost €235. We’ve seen other mails with different refund values, but the scheme remains the same.
The outward appearance of this email is rather convincing, but the text is peppered with mistakes and most probably the result of an automatic translation.
The most interesting part is the html filScreenshot of the fake tax refund forme attached, with a design that is pretty similar to the design used on the "Bundeszentralamt für Steuern” (German Federal Central Tax Office) website:
All information added in this form will be sent to a remote server:
The server used in this email, located in Belgium, still exists, but did currently not respond to any of our requests. During our analysis, we did not encounter any malware.
What can happen if someone enters all the requested data?
What should you do and know?