Search This Blog

Wednesday, December 26, 2007

IRS rebate scam

If you ever get somethign in your email that suggests it is the Government, your bank etc. Do NOT fall for these scams. Do not click on the links, and do NOT contact or reply to the sender.

Report the Email to IC3, the web server/host, etc. If more people reported these scams, less ignorant people would get scammed. Sure we may think only greedy, or ignorrant, people fall for these things. But the fact is I have recieved letter from my readers who have been effected by these scams. After the damage is done there is very little help I can offer, and in most cases the people lost money and their sense of security, which, they likely will never reteive.

To that I say it may be your child or grandparent that falls for one of these scams someday - Then what will you say? Talk to your friends, family, and the children. Inform and instruct them how to spot and deal with these problems.

IRS Scam Mail example

I got this in my Email today:


After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $129.72. Please submit the tax refund request and allow us 3-6 days in order to
process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Note: For security reasons, we will record your ip-address, the date and time.
Deliberate wrong inputs are criminally pursued and indicated.

Internal Revenue Service

Copyright 2007, Internal Revenue Service U.S.A. All rights reserved.


Regarding this email I held my mouse curser over the link to see where it went. The link pointed to the following adreess:*******/redir.php

So I decided to type softics into google. I found 1,200 links. See the (".ro") at the end of the main web site address) This is called the "extension"/ Normally you will see a .com etc here. But there is also Country extensions here is a list of different extensions and what they represent:

The web site is a Romanian

The Email "sender" was indicated as being from (according to my yahoo emial sender summary):

This is something the scammers do they will make it look like it was sent from a reliable source like Ebay or paypal. They lie. Also notice how at the end of the web address there is "/redir.php"?

Well the "redir.php" indicates that when you click on the link it will redirect you to a different web site, and not the website that you see if you place cuser over link (PLEASE BE CAREFUL AND DON'T CLICK THE LINK) At the bottom left of browser window - you should be able to see the website the link goes to.

Also I looked at the (full header) in my email browser. The full header indicated that the Originating IP address was -

Country: UNITED STATES (US) City: New York, NY
Another IP lookup address lookup software found this
Country USA
The recieved Address was
I loked this one up and found

Host : ?

Country : United Arab Emirates

I also did a search to see who owns the domain name, here is what I found.

description: PETRE Constantin
description: bd. Unirii bl. E17, sc. B, et. 1, ap. 28
description: Slobozia
description: RO
description: Postal Code: 920022
description: Phone: +40-743-117678
description: Email:
description: [...]
admin-contact: PC23-ROTLD
technical-contact: PC23-ROTLD
zone-contact: PC23-ROTLD
billing-contact: PC23-ROTLD
info: Registered via inregistrari_ro
info: object maintained by ro.rnc local registry
object-maintained-by: ROTLD-MNT
updated: 20050127
updated: 20050127
source: ROTLD
application-date: 20050126
domain-status: activ

person: PETRE Constantin
address: PETRE Constantin
address: bd. Unirii bl. E17, sc. B, et. 1, ap. 28
address: Slobozia
address: RO
address: Postal Code: 920022
address: [...]
phone: +40-743-117678
nic-hdl: PC23-ROTLD
object-maintained-by: ROTLD-MNT
updated: 20050127
updated: 20050127
source: ROTLD