Web security company M86 Security Labs, which is now part of TrustWave SpiderLabs, is inadvertently helping fraudsters to carry out phishing attacks against HM Revenue & Customs.

The text within this HMRC phishing email is actually represented by a PNG image, which is loaded directly from the M86 Security Labs website.

The spoof emails involved in the ongoing attack look practically the same as many previous HMRC phishing emails — and that’s because the content within the email body is being served directly from the M86 Security Labs website. The emails simply display a PNG screenshot of an email that was featured in a 2010 blog post by M86 Security Labs, which warned potential victims about an HMRC phishing attack.

Ironically, the screenshot featured in that blog post is now being used as a key component of the current attacks against taxpayers.

The HTML source of the email body, which displays the 24kb image from the M86 blog post.

The image as it was intended to be shown on the M86 Security Labs blog.

Clicking anywhere on the image in the phishing email takes the victim to an HMRC phishing site hosted in Turkey. This initially prompts the victim to enter their email address, full name and date of birth, before a subsequent page asks for even more information, including the victim’s postal address and card details.

Fake HMRC tax refunds remain a popular ruse. Netcraft blocked 1,150 HMRC phishing sites last month alone, and notably discovered one hosted under the trusted gov.uk domain in 2009.