A novel phishing campaign is underway, targeting Greeks with phishing sites that mimic the state’s official tax refund platform and steal credentials as they type them.
The campaign aims to trick victims into entering their banking credentials on the sites, allegedly to confirm themselves and give authorization for a tax refund which was discovered by researchers at Cyble.
Phishing Analysis
The threat actors are sending phishing emails claiming that the Hellenic Tax Office has calculated a tax return amounting to 634 Euros but failed to send the funds to the beneficiary’s bank account due to validation issues.
When users visit the website hosted on the URLs: hxxp://mygov-refund[.]me/ret/tax & hxxps://govgr-tax[.]me/ret/tax, the pages ask the users to confirm their current account number to transfer tax refund money says Cyble.
In the fake portal, the visitors are requested to select their bank institute, with the phishing actors offering seven options, including several major Greek banks.
A JavaScript keylogger on these pages captures all keystrokes and sends them to the actor’s server, allowing the attackers real-time access to the stolen credentials.
However, using real-time keylogging, as we see in this phishing campaign targeting Greeks, is rare and could be the start of a new trend in the field.
Using a keylogger instead of sending email-password pairs submitted on phishing forms to the C2 increases the success rate, even if it comes at an elevated risk of snatching passwords that have been mistyped.
Finally, the JavaScript keylogger will load and work as intended even if the victim has set their browser to block all third-party trackers, so there’s no way to stop it proactively.
Users should beware of such phishing emails and take necessary actions for the same.
Recommendations provided by cyble :
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Indicators Of Compromise (IOCs)
hxxp://mygov-refund[.]me/ret/tax
hxxps://govgr-tax[.]me/ret/tax
hxxp://rodriguez@hodewood[.]com/
hxxp://govgr-tax[.]me/ret/tax
hxxp://govgreece-tax[.]me/ret/tax
hxxps://mygovrefund-tax[.]me/c1/refund
hxxp://govgreece-tax[.]me/
hxxps://govgreece-tax[.]me/ret/tax
hxxps://govgr-refund[.]me/ret/tax
Leave A Comment