The National Cybersecurity Institute (INCIBE) has warned of a campaign to send fraudulent emails that try to impersonate the Tax Agency to spread malware. This campaign has been reported in previous months, so users are recommended not to lower their guard against this type of fraud.
An email impersonating the Tax Agency
This found security hole is based on a malicious email. The subject of the email is: «Legal and Financial Pendency (last warning) – [ id 184883525 ]». In the body of the message they ask the user to download a file in .PDF format in which they will see a tax receipt. Furthermore, cybercriminals use social engineering techniques to force the download by adding a deadline for its presentation, making the user believe that if he does not present it in a timely manner, he may be affected by a tax inspection by said authority.
This file pretends to be a PDF, but it is actually a link that will redirect users to a malicious web page where the malware will be downloaded. The malicious file name is “PROOF_000000_XXX.zip”.
This file each time it is downloaded contains a random name, which follows the same pattern: “File_ + 5 or 6 random numbers + _ + 3 random letters”.
This one of the most common viruses
This type of malware is known as Trojan Downloader or Dropper, which in turn leads to another type of malware categorized as a banking Trojan, which has a single objective: steal confidential banking information.
Once the virus is introduced and gains control of the attacked device, the hacker can perform malicious or harmful actions for the victim, such as stealing personal data or infecting other types of software.
Hackers achieve this through the technique known as “email spoofing”, with which they try to make the victim believe that the sender of the email is the Tax Agency. The message that impersonates the state entity is the following:
A careful look at the body of the message can detect multiple grammatical and spelling errors along with other inconsistencies, something that a legitimate entity would never commit.
Once you have clicked on the attached link, the browser opens to download the malicious file, in this specific case “PROOF_541616_YRD.zip”.
The downloaded file contains the malware, which can be detected by some browsers as a malicious file, notifying the user.
Avoid being attacked with these tips
You want not to be attacked with this type of deception, INCICBE recommends following these tips:
- Do not open emails from unknown users or that you have not requested: delete them directly.
- Do not reply in any case to these emails.
- Check the links before clicking, even if they are from known contacts.
- Be wary of shortened links.
- Be wary of attachments, even if they are from known contacts.
- Always keep your operating system and antivirus updated. In the case of antivirus, check that it is active.
- Make sure your employees’ user accounts use strong passwords and do not have administrator permissions.