A novel phishing campaign is underway, targeting Greeks with phishing sites that mimic the state’s official tax refund platform and steal credentials as they type them.
The campaign aims to trick victims into entering their banking credentials on the sites, allegedly to confirm themselves and give authorization for a tax refund which was discovered by researchers at Cyble.
The threat actors are sending phishing emails claiming that the Hellenic Tax Office has calculated a tax return amounting to 634 Euros but failed to send the funds to the beneficiary’s bank account due to validation issues.
When users visit the website hosted on the URLs: hxxp://mygov-refund[.]me/ret/tax & hxxps://govgr-tax[.]me/ret/tax, the pages ask the users to confirm their current account number to transfer tax refund money says Cyble.
In the fake portal, the visitors are requested to select their bank institute, with the phishing actors offering seven options, including several major Greek banks.
However, using real-time keylogging, as we see in this phishing campaign targeting Greeks, is rare and could be the start of a new trend in the field.
Using a keylogger instead of sending email-password pairs submitted on phishing forms to the C2 increases the success rate, even if it comes at an elevated risk of snatching passwords that have been mistyped.
Users should beware of such phishing emails and take necessary actions for the same.
Recommendations provided by cyble :
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Indicators Of Compromise (IOCs)