criminal with Greek flag holding computer with a silent speech bubble.

Keylogger hidden in Greek phishing websites harvests passwords as you type

A new phishing attack is now in progress, targeting Greek citizens using phishing websites that duplicate the state’s official tax return site, it grabs login information as the user types it. Through this technique, the website misleads visitors into providing their internet banking credentials.

The idea of the strategy is to trick people into providing their financial information on the websites, to verify their account and provide permission for a tax refund. The victim’s credentials are transferred to the Threat Actor (TA) when a user clicks the submit button on a phishing page.

The TA deployed a JavaScript keylogger to record inputs that users made as they entered their login information on the phishing website. Attackers hardly use such complex techniques, which makes this approach unique.

However, even if a person doesn’t click the submit button to finish the login process, everything they write is sent right to the threat actors when they use one of malicious websites.

Greek citizens are the target

Threat actors are using phishing emails to trick victims into thinking they owe 634 Euros in taxes, according to the Hellenic Tax Office. But because of validation problems, they were unable to transfer the money to the beneficiary’s bank account.

The fake Greek Government website with its official logo is seen in the image below.

Tax Refund Phishing Web Page
Phishing Website for Refunds (Cyble)

The malicious sites are hosted in the following domains (please note: we have removed “Http” to ensure no accidental clicks. These domains are listed for reference and you SHOULD NOT attempt to visit them): “hxxp:/” and “hxxps:/”. When they transfer tax return money, the pages prompt visitors to verify their current account number.

The customer can select one of seven well-known banks, including the National Bank of Greece, Alpha Bank, and WinBank.

Bank Option to choose
Bank Choose Option (Cyble)

The website takes users to a page with a fake online banking login UI that looks like the real URLs being replicated when they choose the bank.

Alpha Bank Login Page
page for Alpha Bank (Cyble)

All keystrokes are recorded and sent to the attacker’s server through a JavaScrip keylogger on these pages. That gives the hackers access to the credentials that were stolen.

Keystrokes entered into text fields on the website have been captured using the JavaScript code snippet below, and the threat actor’s command and control has been delivered with these stolen credentials.

Keystroke trapping code

Because of this active phishing method, attackers will have already received the credentials even if the victim discovers the scam before checking in to their bank account.

Network Communication
Network connectivity for keyloggers (Cyble)

Research published recently found that many of the top-ranking websites in the globe use third-party trackers that may record what users enter even before they click “submit.” This technique of active keypress tracking was disclosed.

Advertising companies are those hiding behind the most common trackers. In other words, their goal was to enable targeted advertising activities rather than steal account credentials. Real-time keylogging is uncommon and can suggest the start of a new cycle in the field, as in the case of the phishing attack that targeted Greeks.

The success rate is increased when a keylogger is used in place of email-password combinations sent to the C2 via phishing websites. Even this increases the chance of mistyped passwords being stolen.

There is no way to prevent the JavaScript keylogger in advance since it will load and function as designed even if the victim has set their browser to block all third-party trackers.

Recommendations and Preventative Measures

Users are warned to take precautions if they receive spam emails that make big claims or promise money, goods, or other benefits. Use a search engine to find the official tax site for your nation if you ever receive notifications about tax returns, and then log in to verify the status of your account and any unread messages you need to verify.

Always verify the authenticity of links before clicking on them, whether they are embedded in email messages or are part of attached DOCX or PDF files. On your computer, smartphone, and other linked devices, enable automatic software updates when possible.

Maintain a regular eye on your personal finance and get in touch with your bank right away if you see any suspicious activity. On all your linked devices, including PCs, laptops, and smartphones, install a competent anti-virus and computer security software system.

Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts