A new phishing attack is now in progress, targeting Greek citizens using phishing websites that duplicate the state’s official tax return site, it grabs login information as the user types it. Through this technique, the website misleads visitors into providing their internet banking credentials.
The idea of the strategy is to trick people into providing their financial information on the websites, to verify their account and provide permission for a tax refund. The victim’s credentials are transferred to the Threat Actor (TA) when a user clicks the submit button on a phishing page.
The TA deployed a JavaScript keylogger to record inputs that users made as they entered their login information on the phishing website. Attackers hardly use such complex techniques, which makes this approach unique.
However, even if a person doesn’t click the submit button to finish the login process, everything they write is sent right to the threat actors when they use one of malicious websites.
Greek citizens are the target
Threat actors are using phishing emails to trick victims into thinking they owe 634 Euros in taxes, according to the Hellenic Tax Office. But because of validation problems, they were unable to transfer the money to the beneficiary’s bank account.
The fake Greek Government website with its official logo is seen in the image below.
The malicious sites are hosted in the following domains (please note: we have removed “Http” to ensure no accidental clicks. These domains are listed for reference and you SHOULD NOT attempt to visit them): “hxxp:/mygov-refund.me/” and “hxxps:/govgr-tax.me/”. When they transfer tax return money, the pages prompt visitors to verify their current account number.
The customer can select one of seven well-known banks, including the National Bank of Greece, Alpha Bank, and WinBank.
The website takes users to a page with a fake online banking login UI that looks like the real URLs being replicated when they choose the bank.
All keystrokes are recorded and sent to the attacker’s server through a JavaScrip keylogger on these pages. That gives the hackers access to the credentials that were stolen.
Keystrokes entered into text fields on the website have been captured using the JavaScript code snippet below, and the threat actor’s command and control has been delivered with these stolen credentials.
Because of this active phishing method, attackers will have already received the credentials even if the victim discovers the scam before checking in to their bank account.
Research published recently found that many of the top-ranking websites in the globe use third-party trackers that may record what users enter even before they click “submit.” This technique of active keypress tracking was disclosed.
Advertising companies are those hiding behind the most common trackers. In other words, their goal was to enable targeted advertising activities rather than steal account credentials. Real-time keylogging is uncommon and can suggest the start of a new cycle in the field, as in the case of the phishing attack that targeted Greeks.
The success rate is increased when a keylogger is used in place of email-password combinations sent to the C2 via phishing websites. Even this increases the chance of mistyped passwords being stolen.
There is no way to prevent the JavaScript keylogger in advance since it will load and function as designed even if the victim has set their browser to block all third-party trackers.
Recommendations and Preventative Measures
Users are warned to take precautions if they receive spam emails that make big claims or promise money, goods, or other benefits. Use a search engine to find the official tax site for your nation if you ever receive notifications about tax returns, and then log in to verify the status of your account and any unread messages you need to verify.
Always verify the authenticity of links before clicking on them, whether they are embedded in email messages or are part of attached DOCX or PDF files. On your computer, smartphone, and other linked devices, enable automatic software updates when possible.
Maintain a regular eye on your personal finance and get in touch with your bank right away if you see any suspicious activity. On all your linked devices, including PCs, laptops, and smartphones, install a competent anti-virus and computer security software system.
Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.