Information on scammers pretending to be the Bulgarian National Revenue Agency | Joachim De Zutter
September 15th, 2014 an e-mail was received with the following content:
 Dear citizen,
 
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive tax refund of 481.22 BGN.
Please submit the tax refund request and allow us 3-5 days in order to process it.
 
To access your tax refund, please download and fill the Tax Refund Form attached to this email
- open it in a browser (recommended mozilla firefox or google chrome)
 
A refund can be delayed for a variety of reasons. For example :
-invalid records
-applying after the deadline
 
IMPORTANT:
If you find this email in Bulk, Spam or Junk
please move it to your inbox as not to
jeopardize the future our communication with you.
It is essential to receive all emails from us to be in touch.
 
National Revenue Agency
Bul. 52 Dondukov,
Sofia,
Bulgaria
The e-mail headers contained the following (some parts were replaced by ...) :
Return-Path: <customerrelations@napbg.com>
...
Received: from vps251769.ukrdomen.com (unknown [93.190.46.216]) by pmx.abv.bg (Postfix) with ESMTP id 47EC428003A for ...; Tue, 16 Sep 2014 01:22:55 +0300 (EEST)
Received: from ucl.arvixevps.com (ucl.arvixevps.com [108.175.151.158]) (authenticated bits=0) by vps251769.ukrdomen.com (8.13.8/8.13.8) with ESMTP id s8FJZnnO002040 for ...; Mon, 15 Sep 2014 22:35:50 +0300
Message-ID: <93D5B47E89414E3189960227DCACC724@ucl>
Reply-To: "National Revenue Agency" <customerrelations@napbg.com>
From: "National Revenue Agency" <customerrelations@napbg.com>
...
Subject: NOTIFICATION from National Agency
Date: Mon, 15 Sep 2014 14:29:02 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_2093_01CFD0F1.65795560"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
On 19th of September 2014 napbg.com was a deleted but previously owned domain. Apparently the sender of the e-mail thought the citizen addressed in the e-mail was also a customer of the national revenue agency so this person decided to set the return path e-mail address to customerrelations@napbg.com.

To the e-mail a file with filename NAB_form.htm was attached.

The form in that file would pass the user supplied information to a script located at http://masterc.5gbfree.com/bg.php when opened in a browser and the user would press the button to submit the form.

When we opened http://masterc.5gbfree.com we saw this:



The error_log.txt file started with: