The National Cybersecurity Institute (Incibe) has detected a fraudulent email campaign with the aim of distributing a malicious computer program, known as ‘GuLoader/Agent Tesla’, to obtain personal information. The emails impersonate the National Currency and Stamp Factory (FNMT) and the Tax Agency (AEAT).
The emails detected contain messages with writing errors, such as poorly formulated expressions or a strange order when displaying information. In addition, they offer a .zip file that contains a hidden stealer, so it is advisable not to download, Incibe reported this Thursday in a statement.
The issues identified to date are: “AEAT – Notification Notice” and “Expiration of your FNMT Certificate”. In the emails, it is observed that no specific user data is provided and they lack corporate logos of both entities, frequent in their email communications. Also notable is the way in which the information is organized, confusing and poorly written in some of its parts.
In the message that impersonates the AEAT, the user is asked to read the attached file within a certain period of time if they want to avoid negative actions on their account or information. In this way, the victim opens the device with which it was executed for infection.
The email that impersonates the FNMT asks the user to access a download supposedly to renew the certificate, but which will result in the device being infected. “If you have received an email with the characteristics mentioned above, but you have not downloaded any attachments, nor have you responded giving any type of personal information, mark it as spam and delete it from your inbox,” Incibe has recommended.
