A large-scale fraud campaign exploiting Indonesia’s official CoreTax tax platform has been uncovered, leading to an estimated $1.5 million to $2 million in financial losses across the country. Attackers employed a coordinated social engineering and malware operation leveraging fake mobile applications, phishing infrastructure and device compromise techniques to siphon funds from unsuspecting taxpayers.
1. Background: CoreTax and the Attack Surface
CoreTax is Indonesia’s government-sponsored online tax platform used by millions of taxpayers for filing returns, managing withholdings and accessing government tax services. Threat actors identified this high-value, high-trust service as an opportunity to craft phony mobile applications that mimic legitimate tax-related interactions, and thereby collect credentials and execute fraudulent activities.
This incident underscores a broader risk in digital government services: legitimate public-facing platforms with large user bases are prime targets for impersonation and fraud, especially in markets where mobile banking is widespread and app-based interactions are common.
2. Attack Vector: Fake Apps, Phishing and Social Engineering
The campaign used a multi-stage fraudulent ecosystem:
A. Malicious Mobile Application Ecosystem
- Threat actors created cloned versions of the CoreTax platform as Android APKs (installation packages).
- These APKs were distributed through phishing links that impersonated trusted sources or tax communications.
- Once installed, the malicious apps could capture sensitive credentials and session data.
Although the full technical analysis of the APKs isn’t public, similar campaigns historically embed remote access trojans (RATs) or overlay phishing UI screens within fake apps to intercept user input.
B. Phishing and URL Infrastructure
- Researchers found hundreds of phishing URLs designed to resemble CoreTax login pages.
- These URLs were likely promoted through spam messages, SMS, email, and social media platforms.
- Such infrastructure often operates through disposable domains tied to fast-flux hosting, making takedown difficult.
Reporters noted 996 phishing URLs associated with the campaign, indicating a centrally automated phishing-as-a-service model was likely used.
C. WhatsApp and Voice Phishing (Vishing)
Beyond digital delivery of fake apps and links, threat actors reportedly leveraged messaging apps—in particular WhatsApp—to impersonate tax officials or automated notifications.
Vishing (voice phishing) calls may have been used to validate stolen credentials, pressurize users to install apps, or even confirm banking authorizations—amplifying success rates beyond pure digital phishing.
3. Malware and RAT Involvement
Open-source analyses of the campaign point to several malware families being part of the broader toolkit used by threat actors:
| Malware Family | Typical Behavior |
|---|---|
| Gigabud.RAT | Remote access capabilities, credential theft |
| MMRat | Modular banking-focused RAT, often used in Android fraud |
| Table derived from aggregated threat intelligence summaries related to this campaign. |
These malware modules allow attackers to:
- Intercept SMS and push notifications (bypassing many MFA protections)
- Harvest stored credentials
- Record device activity
- Execute remote commands
Attackers may also use these RATs to perform credential stuffing and session hijacking, enabling them to initiate unauthorized transactions once a tax platform or bank login is compromised.
4. Technical Indicators of Compromise (IOCs) & Tactics
Although the original Infosecurity article does not publicly list IOCs, based on expert summarizations and tactics observed, several MITRE ATT&CK techniques are relevant:
| ATT&CK Technique | Description |
|---|---|
| T1566 – Phishing | Initial access through deceptive URLs or messages |
| T1204 – User Execution | Users manually install untrusted apps |
| T1430 – Browser Extensions | Potential UI manipulation on compromised apps |
| T1071 – Command and Control (Web Protocols) | RATs calling back to C2 servers |
| T1556 – Credential Theft | Harvesting stored credentials |
| Adapted from cross-analysis of threat behaviors linked to this fraud campaign. |
Given the large number of malicious URLs and app artifacts observed, defenders should assume a malware-as-a-service (MaaS) ecosystem was employed.
5. Fraud Lifecycle and Money Movement
Once credentials were captured and devices compromised:
- Attackers used stolen credentials to log into victims’ banking apps or payment services.
- Transaction approvals were often obtained by intercepting or spoofing MFA mechanisms (SMS/WhatsApp codes).
- Funds were transferred to mule accounts controlled by the fraud group.
- The estimated economic impact hit up to $2 million, indicating substantial operational scale.
This type of fraud operation typically involves money mules and layering techniques to obfuscate the money flow, making tracing and law enforcement intervention more challenging.
6. Defensive Measures and Mitigations
To combat similar threats against digital services, security operations should adopt a defense-in-depth approach:
A. User-Level Protections
- Only install mobile apps from official app stores (Google Play / Apple App Store)
- Enable hardware-based MFA when available
- Educate users on detecting phishing URLs and impersonation
B. Platform Hardening
- Implement phishing detection on official tax portals
- Use certificate pinning and strict transport security
- Provide in-platform alerts on suspicious logins
C. Detection & Response
- Monitor for abnormal login patterns and rapid transaction sequences
- Use behavioral analytics to flag unusual device and user behavior
- Integrate threat intelligence feeds to block known phishing URLs and malicious IPs
Security teams should also collaborate with national CERTs and financial authorities to coordinate takedowns of phishing infrastructure and share critical IOCs.
Conclusion
The Fake CoreTax scam in Indonesia demonstrates how industrial-scale fraud operations can combine social engineering, fake mobile software, and RAT toolkits to extract large sums from unsuspecting victims. It highlights the evolving sophistication of fraud rings and the necessity of robust technical defenses, user awareness, and cross-sector cooperation to mitigate such threats.
By studying the techniques and infrastructure used in this fraud, security professionals can better prepare defenses against similar campaigns targeting digital services worldwide.
