Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Group-IB report. Show all posts
MMRat trojan
Coretax phishing scam Cyber Fraud Gigabud.RAT GoldFactory malware Group-IB report Indonesia Coretax fraud MMRat trojan

Indonesia’s Coretax Platform Exploited in $2 Million Fraud Campaign Targeting Taxpayers

A highly coordinated cyber fraud campaign targeting Indonesia’s official Coretax tax system has resulted in estimated nationwide losses ranging between $1.5 million and $2 million.


Security firm Group-IB revealed that the scheme first surfaced in July 2025 and escalated sharply in January 2026, coinciding with the country’s peak tax filing season. Cybercriminals posed as the Coretax web portal to deceive users into installing malicious mobile applications.

Although Coretax is accessible strictly through its official website and does not offer a mobile application, attackers used this limitation to their advantage. The fraud operation combined cloned phishing websites, WhatsApp accounts impersonating tax officials, and voice phishing (vishing) calls to create a convincing attack chain.

Victims were instructed to download fraudulent APK files, unknowingly granting attackers remote control of their smartphones. This access enabled unauthorized banking transactions and financial theft.

Investigators traced the campaign to the GoldFactory threat cluster, which utilized several malware variants, including Gigabud.RAT and MMRat. During the probe, Group-IB uncovered 228 previously unidentified malware samples.

The infrastructure supporting the operation was also found to be repurposed to mimic more than 16 reputable brands across sectors such as government services, aviation, pension funds, and energy.

According to the report, approximately 67 million Indonesian taxpayers were considered potential targets. However, among financial institutions secured by Group-IB, the fraud success rate was restricted to 0.027% of infected devices due to advanced predictive detection tools.

Researchers estimated a broader device compromise rate of 0.025% — roughly 2.5 out of every 1,000 banking users. When extrapolated to Indonesia’s population of 287 million individuals exposed to the impersonated brands, the cumulative financial losses and associated operational expenses were calculated between $1.5 million and $2 million.

The investigation further identified 996 phishing URLs generated through a centralized system, pointing to a malware-as-a-service (MaaS) framework with the capacity to scale internationally. Potential expansion targets include Thailand, Vietnam, the Philippines, and South Africa.

The fraud followed a structured, multi-phase approach:
  1. Distribution of phishing links via fake WhatsApp tax representatives
  2. Installation of malicious applications that locked devices and extracted sensitive data
  3. Vishing calls pressuring victims to settle alleged tax dues
  4. Screen recording to capture banking credentials and one-time passwords (OTPs)
  5. Remote account takeover (ATO) and fund transfers through mule accounts

Group-IB noted that a layered security strategy combining signature-based detection, behavioral analytics, and contextual threat intelligence significantly mitigated losses among its clients. By analyzing infrastructure patterns and anticipating brand impersonation trends, the company reported stopping most fraudulent transactions before funds could be withdrawn.

The case underscores the growing sophistication of coordinated malware campaigns and the risks they pose to public confidence in digital government services, particularly when critical platforms like national tax systems are targeted.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
Subscribe to: Comments (Atom)