Cybersecurity experts have identified a new group of information thieves called TimbreStealer, which uses phishing emails under pretexts such as invoices and digital tax receipts. In Unotv.com we explain how this malware targets Mexican taxpayers.
Alert for fake tax receipts to steal information
The TimbreStealer campaign uses phishing emails with themes related to Mexican taxes.
With this “bait,” they direct users to a compromised website where the malware is hosted and trick them into running the malicious application, according to cybersecurity firm
“It has been observed that the current spam mainly uses Mexico's digital tax receipt standard called CFDI (comprobante fiscal digital por internet). Emails with generic invoice themes used for the same campaign have also been detected.”.
How does the TimbreStealer malware work?
Digital tax receipts are the lure for this phishing email campaign, that is, a technique that consists of sending emails -or SMS- that impersonate the identity of companies or public bodies and request personal and banking information from the user “In this one, a spam email was used as a lure to redirect users to a malicious web page hosted on compromised sites,” according to cybersecurity workers.
The email subjects in the TimbreStealer campaign consistently contain the same subject line:
The website detects user characteristics such as the type of browser used, and then initiates the download of a Zip file containing the .url file, which in turn will download the initial TimbreStealer malware.
User interaction is required to open the downloaded Zip file and double-click on the .url file for the malware to execute, at which point the main TimbreStealer infection will start.
It is a cyber-attack targeting Mexico.
The phishing campaign uses geofencing techniques to target only users in Mexico from at least November 2023, according to IT experts.
Any attempt to contact the payload sites from locations other than Mexico will return a blank PDF file instead of the malicious file, they say.
What information can be stolen from you?
The TimbreStealer malware can collect a wide variety of information from the victim's machine and post data on an external website. This is the information that the attacking group can steal:
- Credentials on the victim's machine such as access to browsers like Google Chrome or hosting services like OneDrive
- Files related to AdwCleaner, Avast Scanner and 360 Antivirus quarantine folders and macOS-related folders
- Operating system information through the use of the Windows Management Instrumentation (WMI) interface
- URLs accessed as:
- www.google.com
- amazon.com
- dropbox.com
- linkedin.com
- twitter.com
- wikipedia.org
- facebook.com
- login.live.com
- apple.com
- www.paypal.com
- Remote desktop software
