IRS Offers Up Stupid Redirect Links To Help Phishers Steal Money

from the our-tax-money-at-work dept

Too many sites that are trying to track what people click on when leaving a site offer up “open redirect links” which basically let’s a site append an outside URL to the end of one of its own URLs and have traffic flow right through to that second site. This may be useful in easily tracking what links people click on to leave a site, but they’re also perfect for phishing scammers, who use them to trick people into believing that they’re going to a legitimate site. And, what better site to scam people than the IRS’s site? Turns out that the IRS’s special site uses open redirects that phishers are already using to steal money. They convince people they’re going to the IRS site, when they’re simply passing right through to the scammer’s site. Our tax money at work. Update: Good point made in the comments. The site itself is not actually the IRS’s but another government agency’s. The scam, however, is about a tax refund.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “IRS Offers Up Stupid Redirect Links To Help Phishers Steal Money”

Subscribe: RSS Leave a comment
Anonymous Coward says:

It doesn't look like this is the IRS' fault

The site with the open redirect is, not the IRS site ( The article says the site is managed by the Department of Labor (of which the IRS is not part). I see nothing on the govbenefits site to contradict that. The “MEET THE MANAGEMENT TEAM” link introduces us to the “Assistant Secretary for Administration and Managemen1t at the Department of Labor”.
(I love the job titles. The head of an Administration (FAA, NASA, etc.) has the title of “Administrator”. Somewhere in the federal government there’s got to be an Administrative Assistant to the Assistant Administrator for Administration. . .)

discojohnson says:

No Subject Given

i know that sometimes we attack the wrong end of these things, but it’s my turn. i don’t think it’s the technology’s fault, but the random dumbass that clicks a link that says they have a tax refund they need to pick up. how dumb do you have to be? considering how mainstream the phishing idea is and how much plublicity it attains, do people really still click? i’d like to think that number is right next to zero.
the flip side to that is trying to blame the IRS. maybe we should be more concerned with webmaster and not the content owner; after all, the webmaster decided to not use keywords or make the page smart enough not to accept external requests for the page

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...