Cybercriminals now mimicking income tax portal to install malware through smishing

Smishing or phishing over SMSes is the newest method by which cybercriminals are targeting individuals, and their latest methodology is to mimic the income tax portal of India to promise unsuspecting victims a quick refund. 

According to McAfee, these messages, first noticed in May 2021, are on the rise during the income tax season and are being sent directly to users, with some messages even including the official government logo to appear legitimate. 

The SMS or WhatsApp messages talk about an urgent update to the owner’s tax refund, requesting sensitive information to release the tax refund. 

On clicking the attached link on the SMS or message, the user is redirected to an e-commerce portal that looks exactly like the official e-commerce portal, it also features the user’s name and the exact tax-department logos. 

There are many variants to these webpages, McAfee says, and they utilise different wordings in each step. The malicious website then requests users to download a mobile application, which needs all requested permissions to function. The user is then forced to login using their tax credentials, with the promise to transfer the refund safely into the accounts. 

The malware then steals users’ information, including email addresses, phone numbers, address book contents and stored text messages, and also skims SMSes for financial details. McAfee says that criminals are now using personal data to customise messages and to have hyper-targets.

The application has been identified as a threat and has been codenamed as Android/Elibomi. Other similar smishing attempts appear to be common globally, one such method in Japan, takes the route of updating Google Playstore to install the malware. 

Another similar scam is carried out by targeting the popular mobile gaming platform PubG. But here, in a slightly sophisticated attack methodology, hackers installed their own malicious code for a gaming cheat-code, utilising an open-source development platform called GitHub. Once the user tries to enter the cheat code, the data on their phone is compromised.