Analysts from the Cyble company recorded an interesting phishing campaign against users from Greece: attackers began to embed keyloggers into phishing pages.
The operators of this scam operate phishing sites that mimic the official website of the Hellenic Tax Authority. Sites contain a keylogger that steals credentials and other information as you type.
Let me remind you that we also wrote that Cybersecurity Researchers Discovered a New Phishing Kit targeting PayPal Users.
The attack on Greek users begins with the usual phishing emails, in which the attackers impersonate the Greek Tax Service and tell the user the good news: he is allegedly entitled to a tax refund of 634.13 euros after the recalculation. The emails say that it was not possible to automatically send funds to the recipient’s bank account due to some problems.
As a result, the user is asked to visit the website of the tax service and pass the check on their own. The emails contain links leading to several phishing spoofs of the official website of the Hellenic Tax Authority (govgr-tax[.]me/ret/tax, govgreece-tax[.]me and mygov-refund[. ]me/ret/tax).
On the fake site, visitors are asked to select a banking institution to send funds to. Victims are offered seven options to choose from, including several major Greek banks. Depending on which bank the user chooses, they will be redirected to another fake resource. As a result, the login page will be designed in the style of the selected financial institution.
Thus, attackers will have access to information in real-time. Even worse, even if the user changes his mind at the last moment and does not click the “Submit” button, it will no longer matter, because the information is compromised instantly, right as it is typed.