Symantec has identified a phishing campaign targeting South Korean users. This campaign seeks to deceive recipients by impersonating reputable accounting firms, claiming to send tax receipts or invoices. The emails contain attachments named “NTS_eTaxInvoice.html,” which resemble the official tax documents from South Korea’s National Tax Service. By mimicking legitimate correspondence, the attackers aim to convince recipients to open the attachment, which could lead to further malicious actions, such as credential theft or malware installation.
The phishing emails use various subject lines to increase the chances of user engagement. Examples of these include “전자세금계산서(Y&S)->회계법인)” and “【전자 영수증】받은 새 전자 영수증[영수증 번호: ],” which are intended to look like typical notifications that a user would expect to receive from their tax service. These tactics are aimed at exploiting trust in official-sounding documents, with the goal of tricking the recipient into interacting with the email.
Symantec’s security measures, including Email Threat Isolation (ETI), provide additional layers of defense against such attacks. ETI is designed to detect and isolate potentially harmful content, preventing users from falling victim to the phishing scam. Additionally, Symantec’s machine learning-based and file-based detection methods, such as Phish.Html!gen7 and Phish.ScptML.B, have proven effective in identifying and neutralizing the malicious elements of the campaign.
Despite these protective measures, the threat persists as attackers continue to refine their tactics. Symantec’s ongoing monitoring of this campaign highlights the constant evolution of phishing strategies, particularly as they increasingly target specific regions and industries. Users must remain vigilant and cautious when receiving unsolicited emails, especially those that include unexpected attachments or unfamiliar senders.
Reference: