[ISN] Security glitch aids IRS phishers

InfoSec News isn at c4i.org
Fri Dec 2 01:13:28 EST 2005 

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,106645,00.html

By Robert McMillan
NOVEMBER 30, 2005 

The U.S. Department of Labor said Wednesday it is working to fix a 
programming glitch in a U.S. government Web portal that makes it 
easier for phishers to trick people into disclosing sensitive 
information. The flaw was first exploited by phishers who, earlier 
this week, began sending out bogus e-mail messages asking for personal 
information, including social security and credit card numbers. 

The bug lets these phishers redirect URLs (Uniform Resource Locators) 
that use the GovBenefits.gov domain to fraudulent Web sites that are 
unconnected with the U.S. government. 

This redirecting flaw was first exploited just days ago by phishers 
masquerading as the U.S. Internal Revenue Service (IRS), said Graham 
Cluley, a senior technology consultant with Sophos PLC, a U.K. 
security firm that has been researching the matter. 

"The people behind GovBenefits.gov have implemented their software in 
such a way that leaves the Web site vulnerable to a phishing attack," 
he said. The technique is particularly effective because the link that 
users click on is, in fact, a genuine GovBenefits.gov link, he added. 

The fraudulent e-mail claims to require the sensitive information in 
order to process a tax refund, and claims to come from tax 
refunds at irs.gov, the IRS said. 

The GovBenefits.gov Web site is used by 16 federal agencies, including 
the IRS, and is designed to help users determine their eligibility for 
government-funded benefit and assistance programs. It is maintained by 
the Department of Labor. 

Though the site's redirect glitch is not common, Sophos has seen it 
before, usually made by programmers looking for a flexible way to move 
users around their Web sites, Cluley said. "It's a simple mistake to 
make, until you realize the consequences," he said. "They probably 
didn't see how it could be used." 

The Department of Labor is working to fix the glitch and hopes to 
resolve the problem as early as late Wednesday, a Labor spokeswoman 
said. 

Meanwhile, the IRS published a statement Wednesday, warning users of 
the scam http://www.irs.gov/newsroom/article/0,,id=151065,00.html . 
"What we want people to know is if you get an unsolicited e-mail that 
purports to be from the IRS and it's asking for personal information, 
that's bogus," said Eric Smith, an IRS spokesman. "We're not going to 
request that you provide this kind of information by e-mail."

More information about the ISN mailing list