{"id":6007,"date":"2021-02-09T12:52:06","date_gmt":"2021-02-09T20:52:06","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6007"},"modified":"2024-04-26T13:20:55","modified_gmt":"2024-04-26T20:20:55","slug":"tax-themed-phishing-campaign","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/tax-themed-phishing-campaign\/","title":{"rendered":"Tax-Themed Phishing Campaign"},"content":{"rendered":"

Author: Nick Sundvall<\/strong>
\nTLP: WHITE<\/strong>
\n <\/p>\n

Overview<\/h3>\n

On 1 February, we observed a malspam campaign distributing a Hypertext Markup Language (HTML) file designed to steal email credentials from the recipient. The campaign\u2019s email subject references tax documents. In the United States, it is not unusual to see campaigns using tax-related lures at this time of the year.<\/p>\n

Customer Impact<\/h3>\n

This is not a very sophisticated campaign; the threat actor only appears to be seeking to steal the victim\u2019s email address and password. If the victim does not have multi-factor authentication enabled for their email account, the threat actor can use the stolen credentials to log in, allowing them to gain access to the victim\u2019s emails and potentially take over the account.<\/p>\n

Campaign Analysis<\/h3>\n

The threat actor used tax-themed email subjects to lure the recipient into opening the attached HTML file and input their credentials. However, the threat actor appears to have made a mistake with the names of the attached files, the subjects, and the spoofed sender address. They mostly refer to the Australian Tax Office (ATO) and Australian tax documents. The Australian tax season begins in July and ends in October.1<\/sup><\/p>\n

The names of the attached files included ATO Tax Invoice.html<\/em> and eDocument Refund.html<\/em>. Subjects of the emails included ATO 2020 Tax Payment plan<\/em> and ATO TAX REFUND<\/em>, while the email bodies were left blank. The sender address used @ato.gov.au<\/em>.<\/p>\n

Attack Chain<\/h3>\n

Upon opening the attached file, the victim will see a document that, depending on the recipient\u2019s default settings, will be opened either with a web browser or with an application such as Adobe Acrobat. However, it is not on an actual website, but rather an HTML file. The background of the page is a blurred invoice with a prompt in the foreground for the recipient to input their email address and password to view the file. The prompt spoofs Adobe Acrobat, with Adobe ID written above the sign-in box and \u2018Adobe Acrobat\u2019 as the prompt title for all programs that open the HTML file. <\/p>\n

When the victim types in a valid email address and password and clicks \u2018VIEW FILE,\u2019 the file then sends an HTTP Post request containing the credentials to the threat actor\u2019s command and control (C&C) server.<\/p>\n

Some browsers may provide the victim with a warning before typing in their credentials. During analysis, Firefox presented a box stating \u201cThe connection is not secure. Logins entered here could be compromised.\u201d<\/p>\n

After pressing \u2018VIEW FILE\u2019, the victim is redirected to a Google Doc webpage that states \u201cSorry, unable to open the file at present.\u201d However, by this point the victim\u2019s credentials have already been sent to the threat actor.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Malspam email campaigns are a common distribution method for phishing scams. Infoblox therefore recommends the following precautions to avoid phishing attacks:<\/p>\n