Skip links

Phishing page embeds keylogger to steal passwords as you type



A novel phishing campaign is underway, targeting Greeks with phishing sites that mimic the state’s official tax refund platform and steal credentials as they type them.

The campaign aims to trick victims into entering their banking credentials on the sites, allegedly to confirm themselves and give authorization for a tax refund.

However, everything the user’s type on these sites, even if they never click on submit to complete the login process, is sent directly to the malicious actors.

The campaign was discovered by researchers at cyber-intelligence firm Cyble, who shared their findings exclusively with BleepingComputer.

Targeting Greek taxpayers

The threat actors are sending phishing emails claiming that the Hellenic Tax Office has calculated a tax return amounting to 634 Euros but failed to send the funds to the beneficiary’s bank account due to validation issues.

Notice about tax return on the fake portal (Cyble)

The emails contain links that point to multiple phishing URLs impersonating the Greek government tax portal, like “govgr-tax[.]me/ret/tax,”, “govgreece-tax[.]me”, and “mygov-refund[.]me/ret/tax”.

In the fake portal, the visitors are requested to select their bank institute, with the phishing actors offering seven options, including several major Greek banks.

Bank options given to the victim (Cyble)

Depending on the selection, the user is redirected to a fake login page themed after the selected financial institute, hosted on the same phishing domain.

Fake National Bank of Greece login page (Cyble)

A JavaScript keylogger on these pages captures all keystrokes and sends them to the actor’s server, allowing the attackers real-time access to the stolen credentials.

Javascript keylogger code (Cyble)

Thanks to this aggressive phishing system, even if the victim realizes the fraud before they finish logging in to their bank account, the attackers will have already stolen the credentials.

Keylogger network communication with C2 (Cyble)

The practice of aggressive keypress logging was documented recently in a study that revealed that many of the world’s top-ranking websites feature third-party trackers that can log what visitors type even before they press “submit.”

The companies hiding behind the most prolific of those trackers are advertising organizations, so their goal was to empower targeted advertising operations rather than to steal account credentials.

However, using real-time keylogging, as we see in this phishing campaign targeting Greeks, is rare and could be the start of a new trend in the field.

Using a keylogger instead of sending email-password pairs submitted on phishing forms to the C2 increases the success rate, even if it comes at an elevated risk of snatching passwords that have been mistyped.

Finally, the JavaScript keylogger will load and work as intended even if the victim has set their browser to block all third-party trackers, so there’s no way to stop it proactively.

Users are advised to remain vigilant when receiving unsolicited emails making bold claims or offering money, items, and other benefits.

In cases of receiving tax return notifications, use a search engine to locate the official tax portal of your country and then log in to check the status of your account and any unread notices you need to review.

As always, never click on links embedded in email messages or contained in attached files like DOCXs and PDFs without first confirming their authenticity.

Adblock test (Why?)