Maybe double-check that HMRC email? UK taxman remains a fave among the phisherfolk The UK's National Cyber Security Centre (NCSC) has had another busy year trying to disrupt cybercrime. The government agency today reported that in the past 12 months, it stopped 140,000 phishing attacks and took down more than 190,000 fraudulent sites and services. Impersonating the taxman remained phishers' favourite …
Perhaps if HMRC were not obsessed with "digital everything" they would have no need to demand/harvest email addresses and phone numbers from everyone, thus any unsolicited email which claims to arrive from them could be binned straight away. If HMRC want to contact someone, send a letter with a suitable franking mark.
But no, I guess that is too simple, old fashioned and secure for those f*cktards.
To be fair - at least you can report these scans to HMRC:
https://www.gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples/phishing-emails-and-bogus-contact-hm-revenue-and-customs-examples
"Forward suspicious emails and details of calls claiming to be from HMRC to phishing@hmrc.gsi.gov.uk and texts to 60599"
HMRC sent me a dead tree letter saying I had to file a tax return for two years ago. A year when I earned no money, not a bean. I sat on the phone and eventually got to talk to a nice young man who apologised told me to ignore it and shred it. Their systems apparently will do this with only minor provocation.
In my case it seems to be registering for self employment because I am trying to earn pin money by tutoring in Biology and general Science. It's unleashed all sorts of havoc at HMRC which makes you wonder how competent their systems really aren't.
[The NCSC also discovered that at least 318 public sector networks and 168 unique organisations were still using Windows XP – the OS that hasn't seen a single security patch since the middle of 2014.]
https://www.microsoft.com/en-us/download/details.aspx?id=55245
See the date there? It says 2017
And here is an update... for 2019!
https://support.microsoft.com/en-us/help/4500331/windows-update-kb4500331
Truly, is like Microsoft can't let XP die for good.
When I was working in the NHS there were XP boxes still around simply because they ran multi million quid bits of kit like MRI machines. The software was written for XP and preinstalled on the box provided by the manufacturer.
The manufacturer wouldn't provide a new machine with the software on it, but would offer a 5% discount on their latest model MRI machine, at a total cost exceeding what pretty much anybody reading this will earn in total in their life.
Options:-
1) Toss a several million quids worth of perfectly good MRI machines and drop the number of medical procedures offered down to around 25% of normal to pay for replacement hardware.
2) Unplug the XP box from the network, leave it connected to the MRI boxes and then print the scans on a high spec colour printer, and honestly answer that you have XP in use which is not receiving any security patches.
3) stick a small hardware firewall between the XP box and the rest of the world and only allow it to do updates etc, and allow outbound SMTP traffic on port 21 to allow the scanner to email the MRI results to people who need them, then honestly answer that you have XP in use, but it's connected to the network, secured and up to date.
4) Do a Sir Humphreyesque answer to surveys stating that all staff desktops have been updated to Win7 or Win10 and that you have no staff using a Windows XP desktop computer for their day to day work.
Answers on a postcard to which one you'd pick.
There's a simple way to detect forged mail. You publish an SPF TXT record in your DNS. Then when ANYONE sends mail which claims to be from you to ANYONE, the RECIPIENT's mail server can check the DNS to see if the sending server is authorized by the (claimed, possibly forged) sender to send that mail. If not, the recipient's server sends the messsage straight to /dev/null without cluttering up anybody's inbox.
Easy.
Well, easy if you're half-way competent. The UK government appears (like, it has to be said, most other governments) not to be competent.
Yes, the government does publish SPF records, in a sort of piecemeal, whack-a-mole way, for myriad .gov.uk domains.
But half the time it gets it wrong.
I've offered to explain it, to test them all, and, where they're broken, to fix them, for nothing.
I might as well talk to my three-legged dog.
The DVLA, for example, has had a broken SPF record for YEARS. First it was dvla.gsi.gov.uk. Then it was dvla.gov.uk.
Here's the Big Clue for the people running gov.uk mail and DNS: Read RFC7208. ALL of it.
Management summary:
(Points are numbered in the same way that points are numbered on the "hackerone" Web forms, where I've already reported all this.)
1. Yes, your SPF record needs to be able to PASS a genuine mail.
1. But it doesn't end there. You see, you can PASS a genuine mail if you only process the first couple of terms in the SPF record. You're not really supposed to do it like that, but that's what people do.
1. The thing is, you also need to be able to FAIL a forged mail. And to do that, you need to process the WHOLE RECORD.
1. For the dvla.gov.uk SPF record you can't do that, because it's broken. You run out of permitted DNS operations before you get to the end of it.
Same problem with the landregistry.gov.uk record for that matter, only worse, because you run out of DNS operations further from the end of the record.
On the plus side, though, I've only been banging on about this for about three years, and it would only take me about three minutes to fix it.
Did I mention Capita? No, well, don't get me started.
I really do have a three-legged dog.
SPF was a good idea, but... people implemented it wrongly and didn't include their external ESPs and suchlike which meant that SPF gradually became useless. It also doesn't handle cases where recipients auto-forward messages to their other address (and don't claim that SRS is workable). It's a score in a spam filtering system only.
DMARC however supersedes it by signing emails and publishing the public key in DNS... and it works much better. Except organisations aren't keeping the keys up to date and other orgs don't have the balls to flat-out reject anything that doesn't pass. There's still some promise in the system though, unlike SPF which is defunct.
HMRC warns of landline scams threatening households - GOV.UK
https:/www.gov.uk/government/news/hmrc-warns-of-landline-scams-threatening-households
2 Mar 2019 - Households with a landline number should be vigilant of phone calls from fraudsters pretending to be the tax authority, warns HM Revenue and ...
(Daily Mail(wtf!) were up for this year's Paul Foot Award for this story)
Yup, we've had them over the last week along with "there is an arrest warrant in your name, please contact us on [insert number here] to discuss". From the same number as the HMRC scam.
Thankfully Mrs Alien is now almost as paranoid as myself with regards suspicious phone calls and emails.
The TV licensing idiots send a letter "to the occupier" of my house once a month with various threatening banners on the front such as "Investigations launched in your area" and "We've launched an official investigation" on the front. It's all very funny and a bit pathetic considering their complete lack of any authority.
How does this relate to scams... well, this the key reason I still receive these letter at my property : (A) Because there is no legal imperative for me to tell the licensing goons anything, via their website or on my doorstep, and (B) they are not having any of my personal details because of these persisiting scams.
The 419 boys from Lagos should certainly have a go though, as it certainly can't be any more laughable than Crapitas go at fraudulently and incorrectly trying to tell me why I need a TV license.
Quote: "...followed by the (now defunct) Government Gateway identification service..."
*
Dear El Reg:
Clarification needed. Yesterday I used my Government Gateway ID (issued in 2018) in an online session with HMRC. The quote above MIGHT seem to imply that my online session yesterday could have been completely fraudulent.
So....are Government Gateway IDs still valid or not. If not, then I'm wondering why HMRC seems still to use them.
Confused....need clarification!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
