Scammers Target Dutch Taxpayers in Seasonal Phishing Surge  

Introduction

Phishing campaigns targeting Dutch taxpayers are becoming increasingly sophisticated, with attackers leveraging both traditional techniques and modern third-party services to steal sensitive information.

In this research, we analyse multiple phishing pages impersonating the Belastingdienst to identify common patterns, infrastructure choices, and emerging attacker techniques. Our findings reveal not only familiar form-based data collection methods, but also a shift toward interactive, service-based phishing models. Notably, the majority of phishing activity we observed was targeting cryptocurrency, reflecting attackers' growing focus on high-value digital assets.

Understanding these approaches is critical for improving detection and raising awareness of evolving threats.

Methodology

The research was conducted using Modat Magnify Passive DNS to identify phishing websites targeting Dutch tax-related themes.

The approach included:

·      Discovery of domains impersonating the Belastingdienst

·      Analysis of phishing page content and structure

·      Inspection of user interaction flows

·      Identification of backend communication and exfiltration mechanisms

This approach allows researchers safely study attacker infrastructure without accessing victims’ devices or data.

Overview of Discovered Phishing Patterns

Across the identified samples, a consistent pattern emerges:

1.        Hundreds of phishing pages are hosted on newly registered or compromised domains.

2.        Interfaces convincingly mimic Belastingdienst branding to deceive users.

3.        Simple forms are used to collect sensitive user input.

4.        Submitted data is immediately sent to external services controlled by attackers.

Notably, several samples rely on Telegram as a primary data collection mechanism, without needing dedicated backend systems.

These patterns indicate a relatively low barrier to entry for attackers, who rely on readily available infrastructure and simple techniques to scale their campaigns. At the same time, the consistent use of external services for data exfiltration highlights a focus on evasion and operational simplicity.

Phishing Interface Impersonation

Example 1

This example represents a classic phishing implementation, where a spoofed Belastingdienst interface is used to collect sensitive user information through a structured web form.

The page closely mimics official branding and layout, aiming to establish trust and legitimacy. Users are prompted to enter personal and financial details under the pretence of resolving a tax-related issue.

From a technical perspective, this approach relies on simple and widely available web technologies, requiring minimal infrastructure. Despite its simplicity, it remains effective due to its convincing visual design and straightforward interaction model.

This example highlights the continued effectiveness of traditional phishing techniques, particularly when combined with strong visual impersonation.

Example 2:

On the other hand, we see others using MijnOverheid  to target users, which is with the Dutch authorities, usually citizens receive Belastingdienst communications via this platform.

In this example, the phishing page again imitates the Belastingdienst interface but differs in how collected data is handled. Instead of sending information to a dedicated backend server, the page leverages Telegram as a data exfiltration channel.

These forms redirect to other pages where users can enter their information.

We see that when the user submits the form, the script intercepts the action, gathers the input data, and sends it asynchronously to a server endpoint using fetch.

Interestingly, the fallback endpoint is lightly obfuscated as pst1.php.The code also updates the UI by showing a loading state and, once the request completes (or even if it fails).

The JSON response bellow suggests that how the request was handled and if the data was transmitted externally, notably via email and Telegram.

Example 3:

This example illustrates phishing pages and its corresponding data exfiltration workflow using Telegram. In this example, the attackers have implemented a simple but highly effective infrastructure where user input from the phishing form is sent directly to a Telegram bot, bypassing the need for traditional backend servers.

The phishing interface in Figure 7 replicates the Belastingdienst environment, presenting a convincing form for users to submit sensitive data. The page is implemented as static HTML with minimal JavaScript. This design choice allows attackers to quickly deploy multiple instances across different domains while maintaining the same look and feel. Users are guided by clear instructions and a call-to-action to submit their details, with few dynamic validation and checks maximising authenticity, simplicity and scalability.

Instead of transmitting user input to a dedicated backend server, the phishing page leverages Telegram as a data exfiltration channel. Submitted information is sent directly to a Telegram bot or channel controlled by the attacker, enabling real-time access to stolen data.

The use of Telegram eliminates the need for attackers to maintain their own infrastructure while benefiting from the platform’s trusted reputation and ease of deployment.

Additionally, it allows attackers to manage multiple campaigns efficiently from a single interface.

This approach highlights a broader trend in phishing operations, where attackers increasingly rely on legitimate third-party services to simplify deployment and evade detection.

Example 4:

Unlike the other samples, this phishing page does not rely on traditional form-based data collection. Instead, it integrates a third-party live chat service (Tawk.to) to interact with victims in real time.

Users are instructed to initiate a conversation by sending a message such as “betalen” via the chat interface. This shifts the attack from a static phishing page to an interactive social engineering flow, where attackers can request sensitive information dynamically.

By leveraging a legitimate service like Tawk.to, the attackers avoid maintaining their own backend infrastructure and benefit from trusted domain reputation. This also makes detection more difficult, as network traffic appears to be directed toward a legitimate platform rather than a known malicious endpoint.

This example highlights a shift toward lightweight, service-based phishing techniques that prioritize flexibility and evasion over visual accuracy.

Conclusion

The analysed phishing campaigns demonstrate a clear evolution in attacker techniques. While traditional form-based data collection and Telegram exfiltration remain prevalent, newer approaches leverage legitimate third-party services such as live chat platforms to increase flexibility and evade detection. Notably, the majority of phishing activity we observed was targeting cryptocurrency.

This shift suggests that attackers are prioritising scalability and operational simplicity over perfect visual imitation. As a result, defenders must look beyond surface-level indicators and focus on behavioral patterns and infrastructure usage.

About Modat 

Founded in 2024, Modat is a European research-driven cybersecurity company focused on strengthening cyber resilience for individuals, companies, and governments. Our flagship platform, Modat Magnify, fingerprints and catalogues every internet connected device, to turn large amounts of raw data into actionable security insights.

Modat was created by researching, listening to, and directly experiencing the needs and challenges of security professionals. Our products enable the security community by giving access to unparalleled speed, contextualised data, and predictive insights. We are actively joining the fight to get ahead of cyber-attacks by narrowing the growing gap between digital threats and resilience. Join us to outpace and outlast.

>> Learn more by visiting modat.io and to access the platform visit magnify.modat.io 

Visit: 

• LinkedIn

• X 

• BSky