Two weeks ago, HMRC was celebrating its success at stopping one million visits to scam websites. But while HMRC was posing for the cameras, scammers were working hard on new attacks. Trustwave SpiderLabs has revealed that on 6th September, a month before the HMRC news, scammers launched a new wave of attacks.

In the blog post on the SpiderLabs website the authors say: “On 6th September, 2017, scammers launched a phishing attack using spoofed e-mail messages appearing to come from a HMRC support service domain and containing links to the infamous JRAT malware disguised as a VAT return document. The scam email was sent using a registered HMRC-like domain (, that was registered on 6th September, 2017, contained no web content at the time.”

Looking up the domain it is registered to an accommodation address, Albany House, 324/326 Regent Street, London, W1B 3HH. There is no evidence that HMRC has moved to take over the domain. This runs counter to their claim on October 9 that they were actively protecting customers and their brand. We are waiting on a response from HMRC as to why they have yet to act.

How does the VAT scam work?

The scam starts with a spoofed message that claims to come from the HMRC Business Help and Support team. The subject line is VAT Return Query. The email also claims to have a PDF attachment of the same name as the subject line. The message also includes the text: “…there are some queries about your submission..”

Clicking on what appears to be an attachment, downloads a file called VATRETURNQUERY.ZIP. Opening the file delivers a Java JAR file that then installs the jRAT bot agent. According to the researchers they see this file regularly as it only costs the attackers $29 per infected machine.

Using an image rather than a real attachment is fairly smart. It gets around the problem of security software disabling the attachment. Having engaged the user in downloading the file, they are also likely to ignore any security warnings over the content. After all, it came from HMRC which the user will see as a safe source.

The malware has been carefully written. It has, according to researchers, an anti-analysis mechanisms. This prevents a number of security and forensic tools reading the file. It also makes several changes to the Windows Registry. These are not changes users would detect. They disable some programmes and, more importantly, make it easier to download malware attachments.

How can this be stopped?

As with all these types of phishing emails prevention is part tooling and part awareness.

There are several warning signs that should immediately tell people this is fake. The first is the email address (we have inserted the [] to deactivate it). It is no-reply[@]hmirc-gov[.]co[.]uk. An email query from HMRC would not have a no-reply email address. It would also not come from a address. The correct email address would have at the end.

The email has also been sent to a mailing list as shown by the “undisclosed-recipients” in the To: line. A query about an individual companies VAT return would not be sent to a mailing list as everyone on that list would get the same data.

The attachment, which is perhaps harder to spot, is not an attachment. Instead it is an embedded HTML image with a URL pointing to a Microsoft OneDrive location. The text underneath it even says :”Save to OneDrive – Personal”. Again, this is something that should not come from any company or organisation.

What does this mean

There are several lessons here. The first is for HMRC. Never crow about your achievements without having the right security processes in place. This attack was launched a month before they went public with their claim to have protected customers from scammers. Six weeks on from the domain being registered it is still in the hands of the scammers.

This type of attack will only increase. HMRC is pushing for everything to be digital and that means users will see more emails from it. The scammers will rely on users trusting those emails to be true. If HMRC want to be seen as a beacon for protecting customers, they have to demonstrate responsiveness. It is no use just putting it in a press release.

Users have to be more aware as well. The vast majority of phishing attacks are easily spotted and dealt with. Odd email addresses, strange file attachments, text that makes no sense. This is computer security 101. It doesn’t matter if the email comes to a business or a user. Education about this type of attack takes just minutes and will pay off over time.


Please enter your comment!
Please enter your name here