Hey, retired AOL using grandmas of the world. If you get this email, delete it immediately:
Now that we’ve established the true point of this post, let’s delve into the grand gorge of gimcrack and discuss it for a bit.
Clicking the link at the bottom of the email will take you to this website (click the image for a larger view):
I hate to break it to you, but here’s the real IRS website:
Yeah, they’re almost identical. Almost. Someone out there is an amazing web designer as they were able to clone the IRS website design, color scheme, menu behavior, content, white space – everything that makes up the site. Aside from realizing this website was a fake just by reading the initial email, which is truly the best way to avoid phishing, I’ll show you a few ways to spot the fake once you’ve fallen for teh haxorz tricks and clicked on the link of doom.
The Address Bar
You wouldn’t step inside a house on 429 East 38th Street if you were trying to get to 1305 South Hiatt Street, just as you wouldn’t give your credit card info to wwwwww.bestestbuy.cornmaze if you were trying to shop online at Best Buy. The address bar is there for a reason: to give you the address of the website you are visiting. Do you really think the IRS resides at http://18.104.22.168:8080/www.ir$.g0v/Get_tax_refunding.html? I’d wager it was something more along the lines of http://www.irs.gov.
The real one:
Click a few links once you get to the website in question. Usually it’s just a facade with nothing under the surface, which you’ll uncover very quickly if you dig a little deeper. Haxorz don’t want to spend a lot of time matching up content, they just want to create one good page that looks completely authentic and BADABOOM – grandma got ran over by a thieving reindeer. Upon clicking just one link in the navigation of the fake IRS website, I realized that there were no other pages in the site. All the links just took me to ‘Not Found’ error pages. LOL n00bs.
This one isn’t as obvious, but I did notice it when comparing the real and fake IRS sites. The favicon was slightly different. You can see that the fake is a little darker and less clear, like they saved it in the wrong format or something. The real site is the one on the right.
My point is, look for the subtleties. It’s not always going to be the favicon. It could be a mispelling, a little less padding underneath a box, or a link hover color that doesn’t match the original.
Go To The Real Website
The easiest and most important tactic is to search for the site using Google, which will never give you phishing websites in its results. From there, you can get to any page within that website and be sure that it is authentic. If the email was trying to get you to update your contact information, just browse to that area of the real site and do it. If the email told you your account was about to expire, go to the real site and see if they give you that same message. Use common sense.
In conclusion, well done hax0rz. Your site was spot on identical in almost every way. But, all your tricks are belong to us.
Anyone have any funny phishing/identity theft stories? Lay them on me.