Threat Research

Cyble – Phishing Campaign Targets Greek Banking Users

Securonix

Cyble researchers uncovered a tax-refund phishing campaign targeting Greek banking users that uses a JavaScript keylogger to capture credentials entered on a fake government-site. The attackers redirect victims to fake net banking login UIs for several banks, hosted from an IP address that serves multiple phishing domains. #Cyble #CRIL #TaxRefundPhishing #NationalBankofGreece #AlphaBank #WinBank

Keypoints

  • The campaign pretends to be Greece’s tax refund site and asks users to confirm their current account number to transfer funds.
  • A JavaScript keylogger is used to steal keystrokes when users enter their credentials on the phishing site.
  • Phishing pages imitate official branding and route users to a fake net banking login UI after bank selection.
  • Bank options include seven major banks, notably the National Bank of Greece, Alpha Bank, and WinBank.
  • The phishing pages are hosted publicly at multiple URLs, with keystrokes uploaded to the attacker’s C2.
  • The IP 195.178.120[.]25 serves as a base to host various malicious domains related to Greek tax-refund phishing.
  • The campaign appears to have begun with phishing emails targeting Greek taxpayers.

MITRE Techniques

  • [T1566] Phishing – The campaign uses phishing pages impersonating Greece’s tax refund site to harvest credentials. Quote: ‘The page tricks users into providing their net banking credentials through this process.’
  • [T1190] Exploit Public-Facing Application – Phishing pages are hosted publicly and redirect users to fake net banking login UIs; Quote: ‘When users visit the website hosted on the URLs: hxxp://mygov-refund[.]me/ret/tax’
  • [T1056/001] Input Capture: Keylogging – The JavaScript keylogger captures keystrokes and uploads them to the attacker’s C2; Quote: ‘The JavaScript code snippet has been used to capture keystrokes entered on the website’s text fields and upload these captured credentials back to the Threat Actor’s Command and Control (C&C).’

Indicators of Compromise

  • [URL] Phishing URLs – hxxp://mygov-refund[.]me/ret/tax, hxxps://govgr-tax[.]me/ret/tax, and 8 more URLs
  • [IP] Hosting infrastructure – 195.178.120[.]25
  • [Domain] Phishing domains – hodewood[.]com
  • [Email] Phishing user info – rodriguez@hodewood[.]com

Read more: https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint