IRS Phishing Site Identified

  • Profile Image
    Laura Fried 
    Asked on April 30, 2014 at 01:29 PM
    Dear Abuse Team,The site is located at: ASN: 54540 IP: Defanged URL: hxxp://form[.]myjotform[.]com/form/41193230934551We are asking for your assistance removing this fraudulent content as quickly as possible and to take the following responses in conjunction with your policies.Secure Your Site ---------------- Your site was likely the victim of a compromise and steps should be taken to secure your server and the content that it is providing. Please see below for some actions that you may want to implement.Help Educate Consumers ---------------------- Please see below for instructions if you would like to assist in helping to educate consumers about online fraud.Help Our Investigation ---------------------- As part of our job, we track and analyze phishing information that over time may lead to the identification and legal action against these phishers. By providing to us any files used in the phish and any relevant logs, you would be assisting us in our efforts. Please email files, logs or any other relevant information to: submits@ofdp.irs.govAdditional information regarding this site appears below.If you have any questions, or require further information, please feel free to call me at 1-202-556-2612.Regards,Laura Fried 202-552-1226 (Fax) Online Fraud Detection and Prevention (OFDP) Internal Revenue Service United States Department of the Treasury--------------------------------------------------------------------------Securing Your Site – Additional Information ------------------------------------------- Your site was likely the victim of a compromise and steps should be taken to secure your server and the content that it is providing.Some actions that you may want to take include: - Inspect relevant logs and audit trails. - Inspect recently created/modified user accounts and files (including hidden files/directories). Phishers generally leave backdoor/shells that enable them access back into the server/site if not removed. - Ensure files/directories have the appropriate privileges/permissions. e.g., web files/directories generally should not be world writable. - Ensure web applications have latest security patches and are securely configured (including changing default login credentials).Ongoing monitoring is also strongly suggested, as most phishing sites return in a few hours to days if the site is not fully secured. For more information see the document from APWG titled: What to Do if Your Website Has Been Hacked by Phishers Help Educate Consumers – Additional Information ----------------------------------------------- As part of this action, we request that you redirect all traffic going to this URL to the following website: so that consumers will be educated about phishing if they try to access this page. Information about implementing a redirect to this page can be found here:
  • Profile Image
    Answered on April 30, 2014 at 03:21 PM


    Our automated security system has already flagged and disabled the form and its account from access or use.

    As for your additional requests to have access to the logs and data in relation to that form - I have escalated the issue to my supervisor for a definitive response.

    Thank you for your patience.