Time for a bit of phishing
One of our French users received an email regarding a tax issue with the UK tax authorities (HMRC). The URL started off ok, but turned out to be a little nasty:
(Please don’t click it)
http://online.hmrc.gov.uk.nyyyyase.com/SecurityWebApp/httpsmode/statement.php?{other id stuff redacted}
nyyyyase.com turns out to be a cluster of machines
dmlinux2:/home/david # host nyyyyase.com
nyyyyase.com has address 222.113.210.163
nyyyyase.com has address 61.73.96.212
nyyyyase.com has address 67.164.7.67
nyyyyase.com has address 79.175.103.228
nyyyyase.com has address 83.4.187.5
nyyyyase.com has address 89.134.5.8
nyyyyase.com has address 93.172.209.217
nyyyyase.com has address 110.13.183.155
nyyyyase.com has address 114.180.190.76
nyyyyase.com has address 121.174.9.100
nyyyyase.com has address 121.183.6.137
nyyyyase.com has address 190.139.220.38
nyyyyase.com has address 195.56.205.192
nyyyyase.com has address 210.116.200.91
nyyyyase.com has address 221.165.170.71
…and when you try to browse to the IP address, you’re redirected to microsoft.com, presumably in an attempt to cover tracks. The few that I’ve traced all seem to be Eastern Europe (Poland and Hungary)
Browse a little deeper though and you get a site not dissimilar to the HMRC web site in layout and colour.
Be warned!
