As revealed by the cybersecurity company ESET, the spread of two email campaigns to Spanish companies —some, posing as the Tax Agency, others as the FNMT (National Currency and Stamp Factory)— which, however, conform to very similar guidelines.
Both emails use subjects that attract strong attention (notification notices regarding the payment of taxes or the supposed expiration of a certificate) to encourage their opening and reading. Likewise, both have been sent at similar times and show little difference in file modification dates malicious attachments.
Additionally, cybercriminals have been able to spoof legitimate email addresses (we have already addressed this tactic in the past) so that the emails received by victims appear to be related to the corresponding official body. Thus, the user, convinced of its authenticity, you will be less inclined to distrust of e-mail requests.
Another relevant detail is that both emails (that of the Tax Agency and that of the FNMT) They share infrastructure to send stolen credentialsusing servers from Spanish companies that have previously been compromised.
A careful analysis of both emails could reveal subtle errors in writing and use of language, which should serve as an indication of the misleading nature of these emails. Despite this, if the recipient does not pay enough attention, they could consider these messages as legitimate.
Ransomware: what it is, how it infects and how to protect yourself
Agent Tesla strikes again
One of the tactics adopted by these cybercriminals is attach compressed files in RAR format to emails, which hide an executable inside malicious. Despite being a somewhat archaic technique, it still manages to fool users who could inadvertently download and run said file on their systems.
These malicious files contain the well-known Agent Tesla—which has been around for years. one of the most detected malware in Spain— and, once activated, they seek to steal vital information from the computer. Specifically, they go after login data stored in common applications such as web browsers, email clients, VPN clients, etc.
The coordinated nature of these attacks suggests that We are not facing two isolated campaigns, but rather a larger and more organized operationprobably managed by a single group of cybercriminals.
Via | ESET
Image | Marcos Merino through AI
In Genbeta | This is how the scam works that shows a fake SMS from BBVA and others in the same thread as the real ones (and it’s easier than it seems)