Cyber Daily Report

News

Home News

New Smish: New York Department of Revenue

  • None--securityboulevard.com
  • published date: 2025-09-30 00:00:00 UTC

None

<p> As I was visiting <a href="https://smishtank.com/">SmishTank</a> to report the most recent SMish that I had received (an iMessage from a +27 South African telephone number claiming to be from ParkMobile) I noticed there had been many recent submissions from the New York Department of Revenue. SmishTank is operated by <a href="https://www.linkedin.com/in/muhammad-lutfor-rahman-phd-b12b5a84/">Professor Muhammad Lutfor Rahman</a>, a colleague of mine from our time at UAB, and his student Daniel Timko from California State University San Marcos. </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgptfdj5Izr8IcBqB-BD7CbdtOI9vsJ6QEjdXwzGSwu_kuu0VK6hREOMgjzIcll-xB2G0_1u-PoUP2xo9y3bQIjoiWs5RIu6PcZeP4XTzIhhHlTTJiMYVEn8Wsak-5CFeUg7ZZCzQ1n9CB7jSQrqB6Knbvz41N7R_VGEW5YSaMD66Lar39k6fxC9CxvRlTDBQ" style="margin-left: auto; margin-right: auto;"><img fetchpriority="high" decoding="async" data-original-height="912" data-original-width="1497" height="390" src="https://blogger.googleusercontent.com/img/a/AVvXsEgptfdj5Izr8IcBqB-BD7CbdtOI9vsJ6QEjdXwzGSwu_kuu0VK6hREOMgjzIcll-xB2G0_1u-PoUP2xo9y3bQIjoiWs5RIu6PcZeP4XTzIhhHlTTJiMYVEn8Wsak-5CFeUg7ZZCzQ1n9CB7jSQrqB6Knbvz41N7R_VGEW5YSaMD66Lar39k6fxC9CxvRlTDBQ=w640-h390" width="640"></a></td> </tr> <tr> <td class="tr-caption" style="text-align: center;">SmishTank.com is a great resource for recent SMish!<div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div> </td> </tr> </tbody> </table><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgbqgpM33N7aFdogt9fqhChrNivZ69ZiW8VRbNZral1D9vYSeqXpTG5jUxU8E2ezEhecEMP6lh_2EC4MZoxLdzDSL54_G-BnmeFeZqLFaI_y6sp_2tifJxZM1cXP5slE6BlY7EhhwAnj7HZxyPC6BtgFPLnIpuFsjNarEvW94L-54iZ5EbjGMPdS7n0BWuvpg" style="margin-left: 1em; margin-right: 1em;"><img decoding="async" data-original-height="371" data-original-width="1502" height="158" src="https://blogger.googleusercontent.com/img/a/AVvXsEgbqgpM33N7aFdogt9fqhChrNivZ69ZiW8VRbNZral1D9vYSeqXpTG5jUxU8E2ezEhecEMP6lh_2EC4MZoxLdzDSL54_G-BnmeFeZqLFaI_y6sp_2tifJxZM1cXP5slE6BlY7EhhwAnj7HZxyPC6BtgFPLnIpuFsjNarEvW94L-54iZ5EbjGMPdS7n0BWuvpg=w640-h158" width="640"></a></div><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgf-jY2CrP_53uG2UB9vE5UXPnhdF1nGJy_p-IJaQco5auOK9uJ9VOjlysvvrpd_D5QVBFKDoLaWKyYZk6knRraIwYf19C9QNb-wuhXKx1ACU8KB8p79ZnkieUNcjH1T5cC3whBhfZyPqKKuEGp1nipJ-gs1xJgtdacmlZCRZoP1n763ejrqn_NDarr-_3ycA" style="margin-left: auto; margin-right: auto;"><img loading="lazy" decoding="async" data-original-height="695" data-original-width="1492" height="298" src="https://blogger.googleusercontent.com/img/a/AVvXsEgf-jY2CrP_53uG2UB9vE5UXPnhdF1nGJy_p-IJaQco5auOK9uJ9VOjlysvvrpd_D5QVBFKDoLaWKyYZk6knRraIwYf19C9QNb-wuhXKx1ACU8KB8p79ZnkieUNcjH1T5cC3whBhfZyPqKKuEGp1nipJ-gs1xJgtdacmlZCRZoP1n763ejrqn_NDarr-_3ycA=w640-h298" width="640"></a></td> </tr> <tr> <td class="tr-caption" style="text-align: center;">Pennsylvania and Connecticut “Department of Revenue” also observed</td> </tr> </tbody> </table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjy_8s2uLyqQaoJe6kZsIwmMpXVL11OoH0JC5dvz2D0XwxnOvl8YgNL4sXBF4YgduzYafZ0XsZZRiNUE60gTVc92zsL_aTE4m6RzsIMOMyIv-7LJ7gGulXefVDamkUCnwnTXyuIlOD0DiLnm_uv8Z60RLBQEW0mRuUlp77DMOe_csuE98CRCL0aGsc1_iXaQQ" style="margin-left: auto; margin-right: auto;"><img loading="lazy" decoding="async" data-original-height="1020" data-original-width="1307" height="499" src="https://blogger.googleusercontent.com/img/a/AVvXsEjy_8s2uLyqQaoJe6kZsIwmMpXVL11OoH0JC5dvz2D0XwxnOvl8YgNL4sXBF4YgduzYafZ0XsZZRiNUE60gTVc92zsL_aTE4m6RzsIMOMyIv-7LJ7gGulXefVDamkUCnwnTXyuIlOD0DiLnm_uv8Z60RLBQEW0mRuUlp77DMOe_csuE98CRCL0aGsc1_iXaQQ=w640-h499" width="640"></a></td> </tr> <tr> <td class="tr-caption" style="text-align: center;">The Utah State Tax Commission and the State of California Franchise Tax Board also seen</td> </tr> </tbody> </table><p></p><h3 style="text-align: left;">SMish that Hide from Wrong Browsers</h3><p>If you visit any of the URLs that are reported by these “Tax Refund” phish, you’ll find that they fail to resolve unless you are visiting from a phone. Researchers easily bypass this by using a “User Agent Switcher” which allows a browser, such as Chrome, to claim to be another device with a different browser.  By setting myself to be an “Android KitKat” version of Chrome, the pages render on my Windows PC just fine.  The User Agent Switcher also allows you to enter your own customer User Agents.  Today, this is the one I used … </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjzb-GVcz2biSR7UGWS0SM62G2DNHo1UsYUOkuVNNCzuMkTDWG0OpB6LGCCGYRSfQM1YsoruTDWYQS5-wz92t3wgDHwIBgi9NMQS3Ur0sSJLUdB4mFFYORch0TuIQsRgf6ZSOUqvjKxNBWz-0BE00UN39jKVh3KXLXxtqfPGZfHUoNPyBINMw1KM9e1TD9slA" style="margin-left: auto; margin-right: auto;"><img loading="lazy" decoding="async" alt="" data-original-height="62" data-original-width="324" height="61" src="https://blogger.googleusercontent.com/img/a/AVvXsEjzb-GVcz2biSR7UGWS0SM62G2DNHo1UsYUOkuVNNCzuMkTDWG0OpB6LGCCGYRSfQM1YsoruTDWYQS5-wz92t3wgDHwIBgi9NMQS3Ur0sSJLUdB4mFFYORch0TuIQsRgf6ZSOUqvjKxNBWz-0BE00UN39jKVh3KXLXxtqfPGZfHUoNPyBINMw1KM9e1TD9slA" width="320"></a></td> </tr> <tr> <td class="tr-caption" style="text-align: center;">Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36</td> </tr> </tbody> </table><p></p><h3 style="text-align: left;"> </h3><p>New York Department of Revenue Mobile Phish (SMish) </p><div>After switching my browser agent, I chose to visit “revenue.refundjpt[.]cc/notice” to get samples of the phish. The first thing that stands out is that despite the SMish all claiming to be the “New York Department of Revenue” the phishing website calls itself “Department of Taxation and Finance” and makes no reference to any specific state. </div><div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1PnhWKtAhBBh7x3wA_CDWLqcuuC1LiFiOm7c52aPFrUyfzqdu3xT_M_xWGe_6JopFBWyQwIMU8LfaMqhuy-nnL8-i1vX4Q5gQTWmZEhABgJdT2AwmcbRfTjCT9gqztiDA2DJrby2cbeu7LAHBMtJtVMr9FuANd1wbpiuZ8hXO7Vn4cBc-tEHpUm2dhn1GsA/s861/NYTax.page1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" border="0" data-original-height="861" data-original-width="789" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1PnhWKtAhBBh7x3wA_CDWLqcuuC1LiFiOm7c52aPFrUyfzqdu3xT_M_xWGe_6JopFBWyQwIMU8LfaMqhuy-nnL8-i1vX4Q5gQTWmZEhABgJdT2AwmcbRfTjCT9gqztiDA2DJrby2cbeu7LAHBMtJtVMr9FuANd1wbpiuZ8hXO7Vn4cBc-tEHpUm2dhn1GsA/w586-h640/NYTax.page1.png" width="586"></a></div><div class="separator" style="clear: both; text-align: center;"></div><div></div><p>The “Address” page of the phish starts by asking for a Social Security Number, which makes sense if you are interacting about taxation.  With most “bank” phish, that would be an immediate Red Flag, but people who are interacting about taxes would not be alarmed by this.  In the USA, your SSN is the primary identifier for taxes.  Although the “State” is pre-populated to “New York” the footer still references the California Penal Code. </p><div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3_ljk-XCkBHbNEjuZcEqr4bPw1hQs_k7MbQTvcjbqISo3IlKXG6CnBmjnA6dfF1x1Qpya0AGI7rfposmNqUbx6leoq5Wuee1Ve1qkR7XPkxs-VvrQEbZpNkYkKZo8rK3h-euHcL9QjHZqoDvvcERHih_cDHsvqkTfz7dT9SLus9i69Bh6xilN9DjR1pN8PA/s1038/NYTax.page2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" border="0" data-original-height="1038" data-original-width="944" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3_ljk-XCkBHbNEjuZcEqr4bPw1hQs_k7MbQTvcjbqISo3IlKXG6CnBmjnA6dfF1x1Qpya0AGI7rfposmNqUbx6leoq5Wuee1Ve1qkR7XPkxs-VvrQEbZpNkYkKZo8rK3h-euHcL9QjHZqoDvvcERHih_cDHsvqkTfz7dT9SLus9i69Bh6xilN9DjR1pN8PA/w582-h640/NYTax.page2.png" width="582"></a></div> <div class="separator" style="clear: both; text-align: center;"></div> <div></div> <p>The next page tells me they would like to refund me $1120 and asks which Credit Card or Debit Card I would like to send the funds to.  The “Bank Routing” option is unavailable, apparently due to “system maintenance.” </p></div><div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOqE5uQbnK6HozlxTe401OxPP2VLmIG0fI_z_n-Z4GFO6CzbMecOFAv01ZoLsXGdXYaYh_3ZraVi1ql794gFZfHE9tIz8uIt_HxNYsM1SSIR9z0zfz78_TB7NhD0fV3E6y2iwP0bftwHILGXo-QqfNYETM1ZNO5kHmYyIBFi1MVW39dj5Sm5pCyD6iNA9JWA/s992/NYTax.page3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" border="0" data-original-height="992" data-original-width="952" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOqE5uQbnK6HozlxTe401OxPP2VLmIG0fI_z_n-Z4GFO6CzbMecOFAv01ZoLsXGdXYaYh_3ZraVi1ql794gFZfHE9tIz8uIt_HxNYsM1SSIR9z0zfz78_TB7NhD0fV3E6y2iwP0bftwHILGXo-QqfNYETM1ZNO5kHmYyIBFi1MVW39dj5Sm5pCyD6iNA9JWA/w614-h640/NYTax.page3.png" width="614"></a></div> <div class="separator" style="clear: both; text-align: center;"></div> <div></div> <p>The website is using the Luhn algorithm to confirm that the credit card number is valid.  Type any 16 digits starting with a 4 or a 5, then rotate the final number until it stops saying “invalid card number” in red and accepts the number.  My made up number was 4381 6621 8355 371_ and when I changed the last digit to a “6” it became an acceptable Credit Card number.  (I looked it up later, as this was entirely fictitious, but 438166 would mean my card was a Visa Credit Classic issued by Multicredit, S.A., in Guatemala.  Oops!  Its ok, the Chinese scammers didn’t care.) </p></div><div></div><div>After this, the criminals sent a text message to the burner phone that I had provided in the Address block. This is a CRITICAL PART OF THEIR STRATEGY!</div><div></div><div>The “SERCURTITY” verification (yes, securTity) asks for my 6-digit code.  While they say this is because they want my tax refund to be secure, this code is actually the 2-Factor Authentication that allows them to add MY CREDIT CARD to THEIR PHONE’s WALLET! </div><div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuJglwiOjqXQPaLbhoSOFv_vQz3bDVqGOb72HqjhRhGhvk1sEkFnSd3o8cKsNC4HpfAipvIgdRPv6nSPOB2mBTJI7h6vdCUqcgeJE5RuDFEjZjLe5KT2c3nUzxFZhhxatm9ZRmTy8iRAeuG1OAlBCN6QTp5ccgEbJTtcK3EfhW8bj8-9MAhaGKsL5gNdS0qw/s1009/NYTax.page4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" border="0" data-original-height="1009" data-original-width="948" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuJglwiOjqXQPaLbhoSOFv_vQz3bDVqGOb72HqjhRhGhvk1sEkFnSd3o8cKsNC4HpfAipvIgdRPv6nSPOB2mBTJI7h6vdCUqcgeJE5RuDFEjZjLe5KT2c3nUzxFZhhxatm9ZRmTy8iRAeuG1OAlBCN6QTp5ccgEbJTtcK3EfhW8bj8-9MAhaGKsL5gNdS0qw/w602-h640/NYTax.page4.png" width="602"></a></div> <p></p> <div>Unfortunately, Guatemala Multicredit SA must have let them know that my credit card didn’t really exist, as it booted me back to the credit card page and asked for a different card. This actually happens even if you enter a VALID card.  Why?  The criminals are not interested in sending you a tax refund. They are interested in loading your debit and credit cards onto their phone in Bangkok (or wherever their “machine room” full of spam-sending phones is located.) If you will give them two cards, they will load two.  If you will give them three cards, they will steal all three.  </div> <h3 style="text-align: left;">How does the Stolen Credit Card get used? </h3> <div>They then deploy “Shoppers” to begin making purchases using your credit card which is now “Tap to Pay” ready on their phone!  The phone is in Bangkok?  No problem.  They use the software “X-NFC” to “remote tap” transmitting the card loaded on the wallet in Asia to the phone standing at the payment til at the Apple Store in Burbank.</div> </div><div></div><div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhZf6CSwDxfmfVoSdqOrYunKsu87zLl7sZYtXJuR36JGQ_oVrPMmW3UGtjjXhj1f-tNUM-1-tr-ll3gtDVYzLJtKpwBAjPtglpXZnKkF4K_9mcOuIgl0EgDGcirEioW8qYx_9LLiplxb-Zm6hbk9yZ388RHZyGDClyhmBhgiaa_KvevMBldrrQKkiREJ1rHCQ" style="margin-left: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" alt="" data-original-height="469" data-original-width="722" height="208" src="https://blogger.googleusercontent.com/img/a/AVvXsEhZf6CSwDxfmfVoSdqOrYunKsu87zLl7sZYtXJuR36JGQ_oVrPMmW3UGtjjXhj1f-tNUM-1-tr-ll3gtDVYzLJtKpwBAjPtglpXZnKkF4K_9mcOuIgl0EgDGcirEioW8qYx_9LLiplxb-Zm6hbk9yZ388RHZyGDClyhmBhgiaa_KvevMBldrrQKkiREJ1rHCQ" width="320"></a></div> </div><div></div><div>I’m attaching a promotional video that the author shares on his Telegram channel.  In the video, the criminal has two phones “above” his Point of Sale device.  He links the NFC capability of one of the top phones to the bottom phone.  He then taps the top “linked phone” to an iPhone holding a credit card in his wallet.  The image of the card is transferred to the bottom phone, which he can then successfully tap on the Point of Sale device.  </div><div></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="allowfullscreen" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" width="320" height="266" src="https://www.blogger.com/video.g?token=AD6v5dznApi9tBIb7sE4xEXp3_9vrM16JwAQoziDvuxcCNxRMk-TR-vFILtKUmYBD_QMQ0iJEWjC5UHS8o4" class="b-hbp-video b-uploaded" frameborder="0"></iframe></div><div></div><p>In practice, the “bottom phone” would be somewhere in North America.  The person using that phone would call a collaborator in Asia to say they are ready to make a purchase.  The remote agent then taps one of the phones where your Phished credit card is loaded.  That card is now “usable” on the phone in North America, who taps the phone locally to make a payment using the credit card 7500 miles away! </p><h3 style="text-align: left;">What Registrars, Hosts, and Domains are part of the current New York campaign?</h3><div>These iMessage and RCS phish are part of a deployment server where criminals pay a monthly fee to use the phishing sites.  Each criminal can choose how and where they register their domains and how and where they host the phishing websites.  Because they are all renting access to the same catalog of phishing website, the sites may look identical while having very different hosting and registration models.</div><div></div><div>In this case, the main set of domains is registered at “Dominet (HK) Limited” while the hosting is more difficult since they are hiding behind Cloudflare’s Reverse Proxy service.  The bulk of that group’s domains for this campaign were registered on September 27, 2025.  <p>The New York campaign used the hostname “revenue” with URLs using this pattern: </p> </div><div> <div>hxxps://revenue.refundyt[.]cc/notice</div> <div>hxxps://revenue.refundql[.]cc/notice</div> <div>hxxps://revenue.refundmj[.]cc/notice</div> <div>hxxps://revenue.refundrm[.]cc/notice</div> <div>hxxps://revenue.refundet[.]cc/notice</div> <div>hxxps://revenue.refundjc[.]cc/notice</div> <div>hxxps://revenue.refundyt[.]cc/notice</div> <div>hxxps://revenue.refundxu[.]cc/notice</div> <div>hxxps://revenue.refundxe[.]cc/notice</div> <div>hxxps://revenue.refundvs[.]cc/notice</div> <div>hxxps://revenue.refunduw[.]cc/notice</div> <div>hxxps://revenue.refundte[.]cc/notice</div> <div>hxxps://revenue.refundsz[.]cc/notice</div> <div>hxxps://revenue.refundrm[.]cc/notice</div> </div><div></div><div>Another group of domains, which was first seen on September 26th and includes 28 domains, some of which were registered today, was also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses the pattern: </div><div></div><div> <div>hxxps://revenue.paybds[.]cc/notice</div> <div>hxxps://revenue.paydjr[.]cc/notice</div> <div>hxxps://revenue.paydqo[.]cc/notice</div> <div>hxxps://revenue.payeoc[.]cc/notice</div> <div>hxxps://revenue.payfgm[.]cc/notice</div> <div>hxxps://revenue.payfkv[.]cc/notice</div> <div>hxxps://revenue.paygaa[.]cc/notice</div> <div>hxxps://revenue.payhqe[.]cc/notice</div> <div>hxxps://revenue.payidx[.]cc/notice</div> <div>hxxps://revenue.payjjt[.]cc/notice</div> <div>hxxps://revenue.payjok[.]cc/notice</div> <div>hxxps://revenue.paykah[.]cc/notice</div> <div>hxxps://revenue.paykdr[.]cc/notice</div> <div>hxxps://revenue.paylsn[.]cc/notice</div> <div>hxxps://revenue.paymnk[.]cc/notice</div> <div>hxxps://revenue.paymtj[.]cc/notice</div> <div>hxxps://revenue.paynds[.]cc/notice</div> <div>hxxps://revenue.payono[.]cc/notice</div> <div>hxxps://revenue.payque[.]cc/notice</div> <div>hxxps://revenue.payquh[.]cc/notice</div> <div>hxxps://revenue.payryc[.]cc/notice</div> <div>hxxps://revenue.paysbv[.]cc/notice</div> <div>hxxps://revenue.paytia[.]cc/notice</div> <div>hxxps://revenue.payvem[.]cc/notice</div> <div>hxxps://revenue.payvik[.]cc/notice</div> <div>hxxps://revenue.paywar[.]cc/notice</div> <div>hxxps://revenue.payyks[.]cc/notice</div> <div>hxxps://revenue.payzlr[.]cc/notice</div> <p>And yet another domain pattern, also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses this pattern: </p> <div>hxxps://revenue.paybds[.]cc/notice</div> <div>hxxps://revenue.paydjr[.]cc/notice</div> <div>hxxps://revenue.paydqo[.]cc/notice</div> <div>hxxps://revenue.payeoc[.]cc/notice</div> <div>hxxps://revenue.payfgm[.]cc/notice</div> <div>hxxps://revenue.payfkv[.]cc/notice</div> <div>hxxps://revenue.paygaa[.]cc/notice</div> <div>hxxps://revenue.payhqe[.]cc/notice</div> <div>hxxps://revenue.payidx[.]cc/notice</div> <div>hxxps://revenue.payjjt[.]cc/notice</div> <div>hxxps://revenue.payjok[.]cc/notice</div> <div>hxxps://revenue.paykah[.]cc/notice</div> <div>hxxps://revenue.paykdr[.]cc/notice</div> <div>hxxps://revenue.paylsn[.]cc/notice</div> <div>hxxps://revenue.paymnk[.]cc/notice</div> <div>hxxps://revenue.paymtj[.]cc/notice</div> <div>hxxps://revenue.paynds[.]cc/notice</div> <div>hxxps://revenue.payono[.]cc/notice</div> <div>hxxps://revenue.payque[.]cc/notice</div> <div>hxxps://revenue.payquh[.]cc/notice</div> <div>hxxps://revenue.payryc[.]cc/notice</div> <div>hxxps://revenue.paysbv[.]cc/notice</div> <div>hxxps://revenue.paytia[.]cc/notice</div> <div>hxxps://revenue.payvem[.]cc/notice</div> <div>hxxps://revenue.payvik[.]cc/notice</div> <div>hxxps://revenue.paywar[.]cc/notice</div> <div>hxxps://revenue.payyks[.]cc/notice</div> <div>hxxps://revenue.payzlr[.]cc/notice</div> </div><div></div><div></div><div>refundfg[.]cc was actually a State of Florida tax refund scam, began about 11 days ago.  That campaign differed from this one in that it was hosted openly at TENCENT (AS132203, IP: 170.106.160.91) and shifted to using a different domain pattern: <br>revenue.refuAXCV[.]cc<br>revenue.refuREWJ[.]cc<br>revenue.refuDZSA[.]cc <p>pivoting on that IP address, we can use Zetalytic’s <a href="https://zonecruncher.com/">ZoneCruncher</a> to look at the passive DNS and find many other domains.  Our TenCent phisher who is doing the New York Tax phish is clearly also doing Pennsylvania, and Minnesota! The Passive DNS also shows us other host and domain patterns for New York. </p></div><div></div><div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjXPwMBkPjKyPFcfmST-ZCzHgJE6JHENpBY9kSZqQIuXhShgEueHUmTe9YQlHBWyvLTuYsnSXekpxLpBNXkjPf3XV5LZjkzgIaPoDuuwphMLoU56_dwfBbSNju5eu9dnQPuSulqALhBUIuTfQOKUneGLJzdUc_dL1fFv4dKCf-4B0CQPx75kmLndYI34xOBwg" style="margin-left: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" data-original-height="918" data-original-width="510" height="640" src="https://blogger.googleusercontent.com/img/a/AVvXsEjXPwMBkPjKyPFcfmST-ZCzHgJE6JHENpBY9kSZqQIuXhShgEueHUmTe9YQlHBWyvLTuYsnSXekpxLpBNXkjPf3XV5LZjkzgIaPoDuuwphMLoU56_dwfBbSNju5eu9dnQPuSulqALhBUIuTfQOKUneGLJzdUc_dL1fFv4dKCf-4B0CQPx75kmLndYI34xOBwg=w355-h640" width="355"></a></div> </div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/09/new-smish-new-york-department-of-revenue/" data-a2a-title="New Smish: New York Department of Revenue"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F09%2Fnew-smish-new-york-department-of-revenue%2F&amp;linkname=New%20Smish%3A%20New%20York%20Department%20of%20Revenue" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F09%2Fnew-smish-new-york-department-of-revenue%2F&amp;linkname=New%20Smish%3A%20New%20York%20Department%20of%20Revenue" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F09%2Fnew-smish-new-york-department-of-revenue%2F&amp;linkname=New%20Smish%3A%20New%20York%20Department%20of%20Revenue" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F09%2Fnew-smish-new-york-department-of-revenue%2F&amp;linkname=New%20Smish%3A%20New%20York%20Department%20of%20Revenue" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F09%2Fnew-smish-new-york-department-of-revenue%2F&amp;linkname=New%20Smish%3A%20New%20York%20Department%20of%20Revenue" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://garwarner.blogspot.com/">CyberCrime &amp; Doing Time</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Gary Warner">Gary Warner</a>. Read the original post at: <a href="https://garwarner.blogspot.com/2025/09/new-smish-new-york-department-of-revenue.html">https://garwarner.blogspot.com/2025/09/new-smish-new-york-department-of-revenue.html</a> </p>

Most Popular

LLM07: System Prompt Leakage – FireTail Blog

  • None -- securityboulevard.com
  • Published date: 2025-09-30 00:00:00 UTC

10 File Threats That Slip Past Traditional Security—and How to Stop Them

  • None -- securityboulevard.com
  • Published date: 2025-09-30 00:00:00 UTC

Details of a Scam

  • None -- securityboulevard.com
  • Published date: 2025-09-30 00:00:00 UTC

Why Threat-Led Defense & Adversary Behavior Are Driving Security Priorities

  • None -- securityboulevard.com
  • Published date: 2025-09-30 00:00:00 UTC

New Smish: New York Department of Revenue

  • None -- securityboulevard.com
  • Published date: 2025-09-30 00:00:00 UTC