[email protected] Business tax scam - I guess

This was tossed in my spam, but some people might still get it and think it is real due to the ".gov" domain suffix. It has a site link instead of the usual drive by trojan dropper in a zip file.

From user Mon Apr 13 14:24:44 2015
X-Apparently-To: whereiwork@itisnotimportant; Mon, 13 Apr 2015 13:24:44 +0000
Return-Path: <[email protected]>
X-YahooFilteredBulk: 95.224.163.198
Received-SPF: fail (domain of tax.gov does not designate 95.224.163.198 as permitted sender)
X-YMailISG: ntZTa1YWLDt2xqg2SFAWdPjSczKim9z5L6YcC2KxCB0Iweky
Z94zsqxEs5RH2fwMiak.oqtK.7p3iBVKE5tDjRhNIi2YnjEmkgB.pHn5MOqM
20n64e6oYGjMvOzTm_jXpRW2cyQfSYHzvQEZRmLW9dT7HL4MofDkRURPEXgH
k8kO1HdY1UJuDQtMZszqWGSano02k.47LyyP5ToNfvX2IfD0QgPcmHyLYleW
Gl612p_eUmENHJ0pIUxd4ERgT3DWldtbI6BX2h34vmnNxgl8Hjj5dj9Tv1wy
r0I0D9eonbAQkKu2vL3yFil56l68joJ8I59GCchof3mUvQXg0PpCERl9yiwk
GEgSt8THitL2hc9c_aJMZS4fVLjvM_0DgYpm2icmDrlC9T9zLDxrUWpRoJtV
6l0zDRWGdNglrvR9y9XUpiKJyKiFl7WYv5yVndrqApbpu9B8LsaAjnJN7JoE
dWk28zfL17RYaZII3hhaBdO3e64Ep5T5s5Iy2WGP6Cp8Ngx_g5kkmo.Io_NF
bYt7pNfCoI7vrpnwkLeQd7gzX0woT2SE3AV2j3T5KwsVmO7uOnZImQKMf61T
yIAgWiq6rQxLUzk9yJTYq_WNZmjkPDCZY9R22MQjD70xT2VHg88QOTtIxoyT
A.KYyB9exbBy4gNiOKzuAizBnsctu0wzt__lKkE28g6iwy4FVRixcOWD8RdO
.DLJpJc8_Y3fHwQe.kIQ1ie1FDDKBdI.N5efGE06B4CgwwdV1fOc9Wrlkzc5
ZwxokOWcAEDaENDHo8LZWRsarDY3waPIM4MrBYKCW8NH7G9JZxQdn5yawT_F
1_RN4.vP9jnykNUbgsHb6kjJAzJlwu02DSmeV5FZvaswGJr3tJOY0gDwsuHE
2fVamhRsw13sJ2b.VGLYtP_PFsjfAfknb8rbG2jIAXnuTvGAkhUlu_4eppce
vGSklgezZqabaj0gYSq4NuDF6NZ8TsfbRhkXmDtCTprZJyRc2MmOjtEe3cc_
r4_CI7.uYU6lvXcodGFMZhf.VIf4HHjGJqOHe5MIjISDrXVMERulyNhhJKMi
AOwc8.YSRlHiPCRYDgqLiZebDD9xddz2Pf0ngq2b.XbfywpM5CUprDbA3cxD
lYuXuIIaAzWOFbAoA26.c0Eblnv0q8PJq4Ryo.mrHK0btvF3ySdZ6Q_SycOZ
oyzeMulBPW_OT.kFIiDjcatk8XwHM142dwObMe9OJFFo_bGcuS43TxgrU63w
GA--
X-Originating-IP: [95.224.163.198]
Authentication-Results: mta1015.biz.mail.bf1.yahoo.com from=tax.gov; domainkeys=neutral (no sig); from=tax.gov; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO tax.gov) (95.224.163.198)
by mta1015.biz.mail.bf1.yahoo.com with SMTP; Mon, 13 Apr 2015 13:24:44 +0000
Message-ID: <[email protected]>
Date: Mon, 13 Apr 2015 15:24:44 +0100
From: user <[email protected]>
MIME-Version: 1.0
Subject: Tax report #0667203
To: <whereiwork@itisnotimportant>
Content-Length: 396


Attention: Owner/ Manager

We would like to inform you that you have made mistakes while completing
the last tax form application (ID: 3710720971590) .
Please follow the advice of our tax specialists:
http://compubarata. com/FAX-MESSAGE. DATA. STORAGE/incoming.fax_message. html ,<Disabled link MW>

Please amend the mistakes and send the corrected tax return to your tax
agent as soon as possible.

Yours sincerely

The message was sent from Italy. If it were really from the government, it would be in Italian. The link is to compubarata.com, a Mexican computer store. Apparently the file that the link pointed to has been removed. I guess it was phishing.

The message was sent from Italy. If it were really from the government, it would be in Italian. The link is to compubarata.com, a Mexican computer store. Apparently the file that the link pointed to has been removed. I guess it was phishing.

Yes, I'm pretty sure it was some kind of unsophisticated login credential grab. I apologize for the link being active, our host disables links in spam on the web interface and I forgot to add a break when I copied.