A journalistic investigation revealed that the Tax Administration Service (SAT) has a vulnerability that allows cybercriminals to use an email authorized by the tax authority to distribute a computer virus and steal information from taxpayers. The newspaper El Financiero verified that the email obligaciones.fiscales@sat.gob.mx, used by the SAT to send notifications, is being exploited by cybercriminals to distribute malware.
In light of this issue, three cybersecurity specialists were consulted who confirmed that the links sent to taxpayers through that verified email contained malware designed to compromise the information of the devices of those who activate it. This security problem in the SAT servers has been active for at least four years, allowing cybercriminals to send emails from a spoofed SAT domain.
Verónica Becerra, co-founder of Offhack, explained that the lack of configuration of certain security protocols such as DMARC is what enables these types of attacks. The vulnerability has been used by criminals to send institutional emails approved by the SAT, increasing the effectiveness of their strategy.
Experts advise taxpayers to refrain from opening links in emails, as it is not a common practice by the SAT. Additionally, it is recommended to strengthen personal security measures, such as verifying the authenticity of messages and not following unknown links.
Although the tax institution has not commented on the matter, it is noted that the same email used to distribute malware is used to send legitimate notifications without links, asking taxpayers to verify any requirements on the official portal with their corresponding credentials.
