Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2010

Help Centre

Reporting Channels

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2010

MA-241.072010 : MyCERT Alert - Phishing Attempts by Impersonating Email from Lembaga Hasil Dalam Negeri (LHDN)

Date of publication: 2010-07-30

1.0 Introduction

MyCERT has handled quite a number of incidents related to an email supposedly from the Lembaga Hasil Dalam Negeri (LHDN). The email entices users to click on a URL that links to a fake LHDN webpage.

On the webpage, users are promoted with message that they are eligible for a tax refund and presented with options to login to either CIMB or Public Bank Internet banking site.

The ultimate goal of this social engineering attack is to obtain the banking credentials of Public Bank and CIMB Internet banking users.

LHDN had also issued an official statement on this matter [1]

2.0 Analysis

2.1 The first part of this phishing attack is in the form of mass social engineering email. One of the email examples is as shown in Figure 1.0.

Figure 1.0 Scam Email as from 'LHDN'

2.2 Referring to Figure 1.0, the user is asked to click on the URL provided in the email. The URL takes the user to a fake LHDN website show in Figure 2.0 below.

Figure 2.0 Fake LHDN website

2.3 Users are informed that they are eligible to receive a tax refund of RM 700.00 and that LHDN needs their bank information. Users that click on either of the bank's logo will be directed to the fake banking website.

Figure 2.1 Fake Public Bank's Internet Banking website

Figure 2.2 Fake CIMB's Internet Banking website

2.4 In this attack, the criminals are only targeting CIMB and Public Bank Internet banking users. However, there could be a variant of this attack that may target other banks.

3.0 Phishing Site

The phishing site was hosted on a compromised server that is hosted overseas.

4.0 Mitigation

4.1 If you do receive such emails, which look like it came from LHDN or banks itself, you can:

Contact the LHDN and the banks for clarification
Forward the phishing email to cyber999@cybersecurity.my so that MyCERT can do the necessary
Delete or ignore the emails

If you are a victim:

Notify the respective bank and get their advise or assistance

4.2 If you use the Firefox browser, please consider using our anti-phishing plugin, 'DontPhisme' for detecting phishing sites. Please visit the following URL for more information on the plugin:

https://addons.mozilla.org/en-US/firefox/addon/142878/

MyCERT can be reached through the following channels for further assistance:

E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS :CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References