Jump to content
  • Phishing page embeds keylogger to steal passwords as you type

    alf9872000

    • 389 views
    • 3 minutes
     Share


    • 389 views
    • 3 minutes

    A novel phishing campaign is underway, targeting Greeks with phishing sites that mimic the state's official tax refund platform and steal credentials as they type them.

     

    The campaign aims to trick victims into entering their banking credentials on the sites, allegedly to confirm themselves and give authorization for a tax refund.

     

    However, everything the user's type on these sites, even if they never click on submit to complete the login process, is sent directly to the malicious actors.

     

    The campaign was discovered by researchers at cyber-intelligence firm Cyble, who shared their findings exclusively with BleepingComputer.

    Targeting Greek taxpayers

    The threat actors are sending phishing emails claiming that the Hellenic Tax Office has calculated a tax return amounting to 634 Euros but failed to send the funds to the beneficiary's bank account due to validation issues.

     

    portal-notice.png
    Notice about tax return on the fake portal (Cyble)
     

    The emails contain links that point to multiple phishing URLs impersonating the Greek government tax portal, like “govgr-tax[.]me/ret/tax,”, “govgreece-tax[.]me”, and “mygov-refund[.]me/ret/tax”.

     

    In the fake portal, the visitors are requested to select their bank institute, with the phishing actors offering seven options, including several major Greek banks.

     

    bank-option.png
    Bank options given to the victim (Cyble)
     

    Depending on the selection, the user is redirected to a fake login page themed after the selected financial institute, hosted on the same phishing domain.

     

    national-bank.png
    Fake National Bank of Greece login page (Cyble)
     

    A JavaScript keylogger on these pages captures all keystrokes and sends them to the actor's server, allowing the attackers real-time access to the stolen credentials.

     

    Javascript keylogger code
    Javascript keylogger code (Cyble)
     

    Thanks to this aggressive phishing system, even if the victim realizes the fraud before they finish logging in to their bank account, the attackers will have already stolen the credentials.

     

    network-communication(1).png
    Keylogger network communication with C2 (Cyble)
     

    The practice of aggressive keypress logging was documented recently in a study that revealed that many of the world's top-ranking websites feature third-party trackers that can log what visitors type even before they press "submit."

     

    The companies hiding behind the most prolific of those trackers are advertising organizations, so their goal was to empower targeted advertising operations rather than to steal account credentials.

     

    However, using real-time keylogging, as we see in this phishing campaign targeting Greeks, is rare and could be the start of a new trend in the field.

     

    Using a keylogger instead of sending email-password pairs submitted on phishing forms to the C2 increases the success rate, even if it comes at an elevated risk of snatching passwords that have been mistyped.

     

    Finally, the JavaScript keylogger will load and work as intended even if the victim has set their browser to block all third-party trackers, so there's no way to stop it proactively.

     

    Users are advised to remain vigilant when receiving unsolicited emails making bold claims or offering money, items, and other benefits.

     

    In cases of receiving tax return notifications, use a search engine to locate the official tax portal of your country and then log in to check the status of your account and any unread notices you need to review.

     

    As always, never click on links embedded in email messages or contained in attached files like DOCXs and PDFs without first confirming their authenticity.

     

    Source: Bleeping Computer

    https://www.bleepingcomputer.com/news/security/phishing-page-embeds-keylogger-to-steal-passwords-as-you-type/

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...