In the last few days, a very sophisticated scam targeting Greek users has been circulating on the internet. The email is supposed to come from eGov-KYC or Introduce Yourself – Know Your Customer (eGov-KYC)
All the email states
The government service "Introduce yourself" (KYC- Know Your Customer) according to the official website, (https://www.gov.gr/upourgeia/upourgeio-psephiakes-diakuberneses/psephiakes-diakuberneses/kyc) offers a digital alternative to presenting your documents to your bank, to confirm your details within the Anti Money Laundering (AML) regulation.
The service draws on your behalf:
a) Identity information
b) Contact details
c) Income details
d) Details of professional activity
The data is drawn from the Government's primary information systems and is not stored in eGov KYC. Their provision always requires your express consent.
Access to the service is possible from your bank's Web Banking.
But the phishing link (https://gov.kyc-update.xyz/gr/) displays the following webσελίδα
If you now go ahead and click on "Contact Service Provider" a new page opens (https://gov.kyc-update.xyz/gr/bank.php) which contains the names and links for many Greek (and not only) Banks.
With each click on the above links, a specially configured page is opened which is supposed to be in the bank mentioned. Let's look at the national team
If you notice the links they all start from one subdomains (gov) of kyc-update.xyz.
A whois of kyc-update.xyz shows us that the attackers are hidden behind Cloudflare proxy nameservers.
Name Server: RAINA.NS.CLOUDFLARE.COM
Name Server: HARLEY.NS.CLOUDFLARE.COM
Anyway, right now the scam is running normally and collecting data, from users who don't check the links in their emails.
