Tuesday, September 30, 2025

New Smish: New York Department of Revenue

 As I was visiting SmishTank to report the most recent SMish that I had received (an iMessage from a +27 South African telephone number claiming to be from ParkMobile) I noticed there had been many recent submissions from the New York Department of Revenue. SmishTank is operated by Professor Muhammad Lutfor Rahman, a colleague of mine from our time at UAB, and his student Daniel Timko from California State University San Marcos. 

SmishTank.com is a great resource for recent SMish!


Pennsylvania and Connecticut "Department of Revenue" also observed
The Utah State Tax Commission and the State of California Franchise Tax Board also seen

SMish that Hide from Wrong Browsers

If you visit any of the URLs that are reported by these "Tax Refund" phish, you'll find that they fail to resolve unless you are visiting from a phone. Researchers easily bypass this by using a "User Agent Switcher" which allows a browser, such as Chrome, to claim to be another device with a different browser.  By setting myself to be an "Android KitKat" version of Chrome, the pages render on my Windows PC just fine.  The User Agent Switcher also allows you to enter your own customer User Agents.  Today, this is the one I used ... 

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36

New York Department of Revenue Mobile Phish (SMish)

After switching my browser agent, I chose to visit "revenue.refundjpt[.]cc/notice" to get samples of the phish. The first thing that stands out is that despite the SMish all claiming to be the "New York Department of Revenue" the phishing website calls itself "Department of Taxation and Finance" and makes no reference to any specific state. 



The "Address" page of the phish starts by asking for a Social Security Number, which makes sense if you are interacting about taxation.  With most "bank" phish, that would be an immediate Red Flag, but people who are interacting about taxes would not be alarmed by this.  In the USA, your SSN is the primary identifier for taxes.  Although the "State" is pre-populated to "New York" the footer still references the California Penal Code. 



The next page tells me they would like to refund me $1120 and asks which Credit Card or Debit Card I would like to send the funds to.  The "Bank Routing" option is unavailable, apparently due to "system maintenance." 



The website is using the Luhn algorithm to confirm that the credit card number is valid.  Type any 16 digits starting with a 4 or a 5, then rotate the final number until it stops saying "invalid card number" in red and accepts the number.  My made up number was 4381 6621 8355 371_ and when I changed the last digit to a "6" it became an acceptable Credit Card number.  (I looked it up later, as this was entirely fictitious, but 438166 would mean my card was a Visa Credit Classic issued by Multicredit, S.A., in Guatemala.  Oops!  Its ok, the Chinese scammers didn't care.) 

After this, the criminals sent a text message to the burner phone that I had provided in the Address block. This is a CRITICAL PART OF THEIR STRATEGY!

The "SERCURTITY" verification (yes, securTity) asks for my 6-digit code.  While they say this is because they want my tax refund to be secure, this code is actually the 2-Factor Authentication that allows them to add MY CREDIT CARD to THEIR PHONE's WALLET!




Unfortunately, Guatemala Multicredit SA must have let them know that my credit card didn't really exist, as it booted me back to the credit card page and asked for a different card. This actually happens even if you enter a VALID card.  Why?  The criminals are not interested in sending you a tax refund. They are interested in loading your debit and credit cards onto their phone in Bangkok (or wherever their "machine room" full of spam-sending phones is located.) If you will give them two cards, they will load two.  If you will give them three cards, they will steal all three.  

How does the Stolen Credit Card get used? 

They then deploy "Shoppers" to begin making purchases using your credit card which is now "Tap to Pay" ready on their phone!  The phone is in Bangkok?  No problem.  They use the software "X-NFC" to "remote tap" transmitting the card loaded on the wallet in Asia to the phone standing at the payment til at the Apple Store in Burbank.


I'm attaching a promotional video that the author shares on his Telegram channel.  In the video, the criminal has two phones "above" his Point of Sale device.  He links the NFC capability of one of the top phones to the bottom phone.  He then taps the top "linked phone" to an iPhone holding a credit card in his wallet.  The image of the card is transferred to the bottom phone, which he can then successfully tap on the Point of Sale device.  


In practice, the "bottom phone" would be somewhere in North America.  The person using that phone would call a collaborator in Asia to say they are ready to make a purchase.  The remote agent then taps one of the phones where your Phished credit card is loaded.  That card is now "usable" on the phone in North America, who taps the phone locally to make a payment using the credit card 7500 miles away! 

What Registrars, Hosts, and Domains are part of the current New York campaign?

These iMessage and RCS phish are part of a deployment server where criminals pay a monthly fee to use the phishing sites.  Each criminal can choose how and where they register their domains and how and where they host the phishing websites.  Because they are all renting access to the same catalog of phishing website, the sites may look identical while having very different hosting and registration models.

In this case, the main set of domains is registered at "Dominet (HK) Limited" while the hosting is more difficult since they are hiding behind Cloudflare's Reverse Proxy service.  The bulk of that group's domains for this campaign were registered on September 27, 2025. 

The New York campaign used the hostname "revenue" with URLs using this pattern: 

hxxps://revenue.refundyt[.]cc/notice
hxxps://revenue.refundql[.]cc/notice
hxxps://revenue.refundmj[.]cc/notice
hxxps://revenue.refundrm[.]cc/notice
hxxps://revenue.refundet[.]cc/notice
hxxps://revenue.refundjc[.]cc/notice
hxxps://revenue.refundyt[.]cc/notice
hxxps://revenue.refundxu[.]cc/notice
hxxps://revenue.refundxe[.]cc/notice
hxxps://revenue.refundvs[.]cc/notice
hxxps://revenue.refunduw[.]cc/notice
hxxps://revenue.refundte[.]cc/notice
hxxps://revenue.refundsz[.]cc/notice
hxxps://revenue.refundrm[.]cc/notice

Another group of domains, which was first seen on September 26th and includes 28 domains, some of which were registered today, was also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses the pattern: 

hxxps://revenue.paybds[.]cc/notice
hxxps://revenue.paydjr[.]cc/notice
hxxps://revenue.paydqo[.]cc/notice
hxxps://revenue.payeoc[.]cc/notice
hxxps://revenue.payfgm[.]cc/notice
hxxps://revenue.payfkv[.]cc/notice
hxxps://revenue.paygaa[.]cc/notice
hxxps://revenue.payhqe[.]cc/notice
hxxps://revenue.payidx[.]cc/notice
hxxps://revenue.payjjt[.]cc/notice
hxxps://revenue.payjok[.]cc/notice
hxxps://revenue.paykah[.]cc/notice
hxxps://revenue.paykdr[.]cc/notice
hxxps://revenue.paylsn[.]cc/notice
hxxps://revenue.paymnk[.]cc/notice
hxxps://revenue.paymtj[.]cc/notice
hxxps://revenue.paynds[.]cc/notice
hxxps://revenue.payono[.]cc/notice
hxxps://revenue.payque[.]cc/notice
hxxps://revenue.payquh[.]cc/notice
hxxps://revenue.payryc[.]cc/notice
hxxps://revenue.paysbv[.]cc/notice
hxxps://revenue.paytia[.]cc/notice
hxxps://revenue.payvem[.]cc/notice
hxxps://revenue.payvik[.]cc/notice
hxxps://revenue.paywar[.]cc/notice
hxxps://revenue.payyks[.]cc/notice
hxxps://revenue.payzlr[.]cc/notice

And yet another domain pattern, also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses this pattern: 

hxxps://revenue.paybds[.]cc/notice
hxxps://revenue.paydjr[.]cc/notice
hxxps://revenue.paydqo[.]cc/notice
hxxps://revenue.payeoc[.]cc/notice
hxxps://revenue.payfgm[.]cc/notice
hxxps://revenue.payfkv[.]cc/notice
hxxps://revenue.paygaa[.]cc/notice
hxxps://revenue.payhqe[.]cc/notice
hxxps://revenue.payidx[.]cc/notice
hxxps://revenue.payjjt[.]cc/notice
hxxps://revenue.payjok[.]cc/notice
hxxps://revenue.paykah[.]cc/notice
hxxps://revenue.paykdr[.]cc/notice
hxxps://revenue.paylsn[.]cc/notice
hxxps://revenue.paymnk[.]cc/notice
hxxps://revenue.paymtj[.]cc/notice
hxxps://revenue.paynds[.]cc/notice
hxxps://revenue.payono[.]cc/notice
hxxps://revenue.payque[.]cc/notice
hxxps://revenue.payquh[.]cc/notice
hxxps://revenue.payryc[.]cc/notice
hxxps://revenue.paysbv[.]cc/notice
hxxps://revenue.paytia[.]cc/notice
hxxps://revenue.payvem[.]cc/notice
hxxps://revenue.payvik[.]cc/notice
hxxps://revenue.paywar[.]cc/notice
hxxps://revenue.payyks[.]cc/notice
hxxps://revenue.payzlr[.]cc/notice


refundfg[.]cc was actually a State of Florida tax refund scam, began about 11 days ago.  That campaign differed from this one in that it was hosted openly at TENCENT (AS132203, IP: 170.106.160.91) and shifted to using a different domain pattern: 
revenue.refuAXCV[.]cc
revenue.refuREWJ[.]cc
revenue.refuDZSA[.]cc

pivoting on that IP address, we can use Zetalytic's ZoneCruncher to look at the passive DNS and find many other domains.  Our TenCent phisher who is doing the New York Tax phish is clearly also doing Pennsylvania, and Minnesota! The Passive DNS also shows us other host and domain patterns for New York. 



Posted by Gary Warner at 5:33 AM
Labels: , , , ,

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.

Subscribe to: Post Comments (Atom)