In recent weeks, thousands of people have been targeted by never-before-seen malicious emails. letters imitating reports from the State Tax Inspectorate (VMI). They differ from regular phishing attacks by more convincing content and more private personal data. Experts warn not to click on the links in the letter and not to allow e-mails. to display letter images to the mailbox, and to take preventive security measures if this is done accidentally.
"Data luring or "phishing" attacks are not a new phenomenon - probably all of us have received a letter about a supposedly won prize or the need to change a cracked password more than once. So it is quite natural that as our resistance increases, fraudsters are looking for new ways to deceive us. The new generation of attacks is much more personalized, using not only the name and surname, but also the personal code. Although if we fall into this trap, we may not suffer immediate damage, the worst thing is that it can become a gateway to much more dangerous attacks", says Darius Povilaitis, cyber security expert of Telia's Center for Digital Progress.
Pretending to be VMI
According to D. Povilaitis, in the new type of "phishing" letters, cyber fraudsters disguise themselves as VMI, which usually sends relevant information to every Lithuanian resident, and inform about an opportunity to recover part of the paid taxes. However, since imitation of this institution is a fairly common tactic among the organizers of this type of attack, an attempt is made to additionally strengthen the impression of the letter's authenticity with personal data not published in the public space.
"After seeing his surname and the correct personal identification number in the letter, a person may not even suspect fraud. After all, such information cannot be found either in Google search or in social networks. Unfortunately, the truth is that fraudsters get such private information by hacking into various websites or by purchasing the data of "hacked" accounts on the "darknet". It seems that the private information of unsuspecting Lithuanians ended up in the hands of the authors of the new attack precisely in the latter way - after gaining access to the leaked user database", says the expert.
Such data resources free the hands of fraudsters to create many attack scenarios. After initially simulating VMI, after a while they may come up with a pretense police and asking for fines or impersonating prosecutors by demanding to review information about a fictitious case.
The goal is to collect even more data about you
In an innocent-looking email, the scammers include a link to the VMI logo image, which most email inboxes display by default. In itself, such an action is not illegal, since various companies also display their graphic symbols in the signatures of employees' e-mails in this way, and merchants display various advertisements in this way. But that's enough for scammers.
"Since the VMI image is not attached to a bookmark, but placed on an external server, the user's inbox sent to the address of the link "distorted" transmits various useful information to the scammers. In this way, the organizers of the attack find out the victim's country of residence, his communication provider, that the letter was opened in general and that a specific person is more vulnerable to this type of fraud schemes. In addition to the name, surname and personal code of a potential victim, adding this data to the "case" allows for even more sophisticated attacks with even more potential to lull vigilance," the representative of Telia's Center for Digital Progress details the scheme.
There are cases when they try to profit from the victim in a more usual way. Along with the above image, the letter often includes links or QR codes that lead to pages simulating VMI systems. The user is prompted to open them and identify themselves with their electronic banking logins, which immediately fall into the hands of criminals.
How not to get stuck?
According to the expert, the first step after receiving such a suspicious letter should be to check the sender's e-mail address. If VMI is presented, and the sender's e-mail email extension is @cousleyandcompany, @mosapah.sbs or anything other than @vmi.lt, a very bright red light should go off in our minds that very second. It should stop us from opening any e-mail attachments and web addresses instantly.
The content of the letter itself can betray the fraud of fraudsters. Phishing attacks are often carried out by citizens of foreign countries, so the text may have incorrect inflections, sentences may sound unnatural and appear as if they were translated from another language. It is also important to note that public authorities never send letters with our personal identification number or exact amounts of tax overpayments/debts. In order to check the relevant information, it is best to do this by connecting through the official websites of the institutions, and not by using the links attached to the letters.
"In order to prevent attacks, in the settings of the e-mail box, you should disable the automatic display of images and activate the option asking for our permission - "Ask before displaying external images" every time. Enabling the two-step authentication function will provide additional security for the mailbox. At that time, in order to be able to trace the source of the leak of our data in the event of receiving a "phishing" email, we created an account on various websites with our e-mail address. the email address should be preceded by a "+" sign before the "@" sign and the name of that website, for example [email protected]", advises D. Povilaitis.
