IRS Phishing Site Identified

  • Profile Image
    Laura Fried 
    Asked on September 09, 2014 at 08:57 PM
    Dear Abuse Team,The site is located at: ASN: 54540 IP: Defanged URL: hxxp://form[.]myjotform[.]com/form/42517047725556We are asking for your assistance removing this fraudulent content as quickly as possible and to take the following responses in conjunction with your policies.Secure Your Site ---------------- Your site was likely the victim of a compromise and steps should be taken to secure your server and the content that it is providing. Please see below for some actions that you may want to implement.Help Educate Consumers ---------------------- Please see below for instructions if you would like to assist in helping to educate consumers about online fraud.Help Our Investigation ---------------------- As part of our job, we track and analyze phishing information that over time may lead to the identification and legal action against these phishers. By providing to us any files used in the phish and any relevant logs, you would be assisting us in our efforts. Please email files, logs or any other relevant information to: submits@ofdp.irs.govAdditional information regarding this site appears below.If you have any questions, or require further information, please feel free to call me at 1-202-556-2612.Regards,Laura Fried 202-552-1226 (Fax) Online Fraud Detection and Prevention (OFDP) Internal Revenue Service United States Department of the Treasury--------------------------------------------------------------------------Securing Your Site – Additional Information ------------------------------------------- Your site was likely the victim of a compromise and steps should be taken to secure your server and the content that it is providing.Some actions that you may want to take include: - Inspect relevant logs and audit trails. - Inspect recently created/modified user accounts and files (including hidden files/directories). Phishers generally leave backdoor/shells that enable them access back into the server/site if not removed. - Ensure files/directories have the appropriate privileges/permissions. e.g., web files/directories generally should not be world writable. - Ensure web applications have latest security patches and are securely configured (including changing default login credentials).Ongoing monitoring is also strongly suggested, as most phishing sites return in a few hours to days if the site is not fully secured. For more information see the document from APWG titled: What to Do if Your Website Has Been Hacked by Phishers Help Educate Consumers – Additional Information ----------------------------------------------- As part of this action, we request that you redirect all traffic going to this URL to the following website: so that consumers will be educated about phishing if they try to access this page. Information about implementing a redirect to this page can be found here:
  • Profile Image
    Answered on September 09, 2014 at 11:18 PM

    Thank you for the information. We were able to trace the form and the account involved.

    We have now suspended the account and forms.