A Little Excitement Never Hurt Anybody!
by lg0p89
Disclaimer: This is for educational purposes only. The information herein is not to be used for unlawful or illegal actions. The reader is responsible for his/her own actions.
Background
I received an email on 5/29/2013 (5:29 pm). Curiously, the time stamp was 29 minutes after the sender would have closed. This was from the IRS.
Whenever you see the IRS name plate, the reader generally misses a heartbeat and breath, at the same time. There is something guttural that occurs when you see the name (((Internal Revenue Service))) on a letter or email. There is not necessarily a mistrust issue, given the present issues with charitable organizations applying for their status, however an awareness of the immense power and ability of the entity to circumvent the U.S. Constitution at their will. Enough of this; that is an article for a different journal and time.
Nonetheless, the email was from the Internal Revenue Service. They used the picture of the upper-third of the eagle adjacent to the scales of justice. Next to this were the words Internal Revenue Service. When the pointer was rolled over this, it provided the link to www.irs.gov. This made it appear yet more legit.
The body of the email showed there was a complaint by Demian Chavoya against myself and nine others, all with the same first name in the email address. In the email it noted the instructions on how to resolve this issue were in an attached ZIP file. The next three paragraphs were noting how all the involved parties had to agree to arbitration for this to be an option, the IRS had the sole discretion if the complaint could be arbitrated, and the IRS offered a binding arbitration service.
Red Flags/Analysis
First, this was in my spam folder. Generally, if the IRS is going to send you an email, it will hit your inbox. Usually they just mail the information or request to you anyway. This was the first issue.
The email showed it was from the IRS, with the email of fraud.dep@irs.gov. This was sent to ten different parties, all with the same first name in the email address. It is not likely that all ten parties would have the same complaint and complaint number placed against them.
The email address was spoofed. When I looked at it, it read the email was from fraud.dep@irs.gov. The average person at first glance would see the IRS name and .gov extension and freak out, much like I initially did. However, I knew I had done nothing wrong (recently). The header for the email was reviewed. The IP address, 50.xxx.78.xxx, was not an IRS IP address. This email was sent from a comcastbusiness.net IP. The location was in Opa-locka, Florida (thank you, traceroute).
If there had been an actual complaint, there would have been the usual attachment. This would have probably been a PDF, but could have been a DOC or DOCX attachment. This, however, had a ZIP file folder. I did not open the attachment since I was at a work computer without a sandbox to open this into. I did not need to add further work for the network admin. I have seen what happens to people on the poop list, and I so did not want to be there. Opening the ZIP file items probably would have infected at least my system and probably more, which would have made my life exciting in the short term.
The context also did not fit the situation. The email stated that the IRS had a complaint against me for my business services. I don't do business with the IRS. This did not make sense. There is also the complaint filed by a Demian Chavoya. I don't know any Chavoya. Also, there has been no work done with or for a Chavoya.
The date was also odd. Apparently, Demian Chavoya filed the complaint on 5/29/2013. The email from the IRS was sent also on 5/29/2013 - the same day. This is highly unlikely. For my math and statistical friends, this is not a statistically significant possibility.
When you send an email, it is relatively important that it makes sense. In the third paragraph, the email states that all parties have to agree to arbitration for this to be an option, meaning the party filing the complaint and the party that caused the complaint. The next paragraph, however, stated this was solely the decision of the IRS. This clearly did not make sense.
If you are trying to make another party believe the email is from a government entity, the sending party probably should use the updated format for their emblem. This email used their prior format that had not been used for months. This is merely me being nit-picky, but really, if you want a polished and professionally looking spoofed email, then do a minor amount of homework and have it look like it actually is from who you want to portray it is from. This creates fewer questions from the recipient, which is what you want.
What Should Have Been Done
This is for educational purposes only, as noted above.
For the person filing the complaint, it would have been better to have used a common name for a person or business. For an individual, perhaps Sam Flynn or Mary Hamilton would have been a better choice. For a business, perhaps Grainger or Verizon could have been used. A person could have an interaction with one of these two entities or another large business. Demian Chavoya is such an unusual name that it automatically piqued my interest and I knew this was not correct. A name that slides in under the radar and doesn't stick out would have been much better.
There was an issue with the lack of a time lag, as noted above. There really should be a time lag between the date of the complaint and the date of the email. Everyone knows how slow the IRS is. This is well documented. This is a large machine that moves at its own pace. The IRS has its own timeline. In this case, the "complaint" was filed on 5/29/2013 and the email was sent on the same day. There is no way this could have happened. I doubt even a congressional member could get this done. It would have been better to have a difference of a week or two between the complaint date and the date the email was sent out. This would have been so much more realistic.
Lastly, the content flow did not make sense. This should not contradict itself.
This was not intended as a "how to" but more as a thought exercise on how it should have been done. Let's learn from this on what to look for and use this as a teaching tool so the network admins don't have even more work to do.