Security News > 2022 > September > Phishing page embeds keylogger to steal passwords as you type
A novel phishing campaign is underway, targeting Greeks with phishing sites that mimic the state's official tax refund platform and steal credentials as they type them.
The threat actors are sending phishing emails claiming that the Hellenic Tax Office has calculated a tax return amounting to 634 Euros but failed to send the funds to the beneficiary's bank account due to validation issues.
The emails contain links that point to multiple phishing URLs impersonating the Greek government tax portal, like "Govgr-tax[.]me/ret/tax,", "Govgreece-tax[.]me", and "Mygov-refund[.]me/ret/tax".
In the fake portal, the visitors are requested to select their bank institute, with the phishing actors offering seven options, including several major Greek banks.
Depending on the selection, the user is redirected to a fake login page themed after the selected financial institute, hosted on the same phishing domain.
Using a keylogger instead of sending email-password pairs submitted on phishing forms to the C2 increases the success rate, even if it comes at an elevated risk of snatching passwords that have been mistyped.