Clever phishing scams disturb ATO

John Hilvert | May 21, 2012 12:30 PM
Social engineering, faxes on the radar.

The Australian Taxation Office (ATO) has reported more than 4000 phishing attempts directing Australians users to fake sites for the government agency in the past year.

The department's chief information officer Bill Gibson told a parliamentary committee into online safety for seniors that his agency was often the subject of scams due to the community’s willingness to comply with requests from the ATO.

ATO’s chief technology officer, Todd Heather said phishing scams were “quite primitive” up to 2007,  with tell-tale spelling mistakes. The websites often directed a naive user by emails which had “no malicious payload”.

“It was only a web form you were invited to give information to that scammer,” Heather said.

Since 2007, however, the ATO had have seen greater sophistication and more realistic use of its brand.

Phishing attacks had since adopted social engineering techniques, which proved more effective and more malicious. In addition, the emails themselves now contained malicious payloads, according to Heather.

He noted scammers intended to build a “permanent capacity to extract information” and to bring users into a network of devices for later exploitation.

Heather noted that fake ATO sites, of which the agency had detected 67 unique ones in the past year, looked more credible. A recent scam website was only undercut by a single misspelt word.

“But that’s the only thing that might deter you from giving your driver’s license, your credit card numbers with security codes, everything but the kitchen sink,” Heather said.

He added that scammers used the actual ATO website as part of their schemes, with some menu items pointing to legitimate ATO services. Only the form seeking information in the middle column formed part of the deception.

In response, ATO had introduced phishing “filter” code on the website that detected where a scammer was coming to its website, in an attempt to undermine this ploy.

Low tech crime

A more recent trend saw low tech devices such as faxes used in sophisticated social engineering schemes. The scammers fax a form to property management personnel at real estate agents  asking them to forward the form to their landlords, pretending to offer tax advantages to non-resident landlords.

“It says if you are a resident landlord, call us and we’ll send you a different form,” Heather said.

“It’s designed to get you engaged in the scam with them.”

The fax seeks a copy of their landlord’s passport offering unique intelligence to a scammer to represent themselves as the person with the passport.

“That is profoundly disturbing,” Gibson told the Committee.

“They have now put an innocent, credible intermediary between the person providing the information and the scammer in the form of a real estate agent. If the property manager does not question this and pass this message on to the owners of the properties, the owner only sees it coming from the property manager, not from any other party.”

Gibson said this level of sophistication coincides with a period when many Australians are getting more comfortable with transacting online.

“The risk for everyone is going up,” he said.

He said it was an “illusion of comfort with technology matters”.

“But that comfort is only as it was some years ago,” Gibson said.

Many were unaware of the sophistication of the current generation of scams.