PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in September 2022:

29/09/2022 => Chick-fil-A Gift Card
27/09/2022 => Teams
27/09/2022 => BRT Spedizione in attesa (Pending shipment)
26/09/2022 => Intesa Sanpaolo
25/09/2022 => BRT
20/09/2022 => Aruba - Dominio scaduto (Expired domain)
14/09/2022 => SexTortion
13/09/2022 => Smishing DM
13/09/2022 => Account di posta (Email Account)
05/09/2022 => Aruba - Dominio scaduto
05/09/2022 => Aruba iCloud

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences .

• A little bit of attention and glance, can save a lot of hassle and headache..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

September 29, 2022 ==> Phishing Chick-fil-A Gift Card

SUBJECT: <You're Invited: To Redeem Your $100 Chick-Fil-A reward>

This new phishing attempt pretends to be a communication from Chick-fil-A, an American fast food chain.

The message, in English, informs the recipient that he has been selected, for a chance to win a Gift Card worth $100.
It then invites the user to participate, via the following link:

CLICK HERE!

At first we notice that the text of the email is very generic and thin. In addition, the alert email comes from an email address <ExclusiveReward(at)chickfilasurvey(dot)us>, that is not from the official Chick-fil-A's domain.

Anyone who unluckily clicks on the link CLICK HERE!, will be redirected to an anomalous WEB page, which has nothing to do with the official Chick-fil-A's site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

September 27, 2022 ==> Phishing Teams

«SUBJECT: <**** conferenza> (conference)

This new phishing attempt is a fake e-mail from Teams, the teleconferencing platform.

September 27, 2022 ==> Phishing BRT: Spedizione in attesa (Pending shipment)

«SUBJECT:< Abbiamo bisogno della tua conferma per spedire il tuo ordine *****> (We need your confirmation to ship your order *****)

Here we find another phishing attempt, hiding behind a false communication  from the BRT service, concerning the delivery of an alleged package.

The message notifies the unsuspecting recipient that his package could not be delivered, because there was no one to sign for the delivery. An alleged delivery code <34632900-371> is also reported. We notice that the email is graphically well laid out to make the message - apparently from BRT - seem more trustworthy. These messages are increasingly being used to scam consumers who, more and more, use e-commerce for their purchases.
The message then invites the user to confirm the delivery address, to reschedule the shipment, by clicking on the following link:

CONTROLLA QUI (CHECK HERE).
The alert email comes from an email address <admin.=?*/{B?jGeIZbuIAelPu?(at)doorp(dot)org(dot)uk>, that is clearly not from the BRT's domain. Anyone who unluckily clicks on the link, you will be redirected to a web page, which graphically mimics the BRT page and warning of 1 message to open.
We see, however, in the side image, that the url address on the broswer bar <https[:]//reelingmoon[.]com/01ffe6cdd.>, has nothing at all to do with BRT's authentic domain:..

The following screen gives us information on the status of the package "Stopped at the distribution hub" and prompts us to choose the mode to arrange the new delivery, at a cost of €1.95.

The following screen asks us how we prefer the package to be delivered: "I want them to deliver it to me" "I’ll pick it up myself".

This is followed by 2 more questions like the previous one, asking where we prefer the package to be delivered: "At home" or "At work" and when we prefer it to be delivered: "Weekdays" or "Weekends."

After selecting our preferences, we finally arrive at a new screen that confirms the sending of the package, with estimated delivery in 3 days....Then you should be redirected to a further page to enter your contact details and pay the shipping cost of €1.95.  

From the side image, we notice that our personal information is actually requested to send the package and then for the payment. As you can see, the login page is hosted on an abnormal address/domain, that clearly has nothing to do with BRT.

https[:]//greatstuffforyout[.]com/c/1422t41g?s1=102da120dd55...

The purpose of this elaborate fake email, is to induce the user to enter his personal information.

To conclude, we always urge you to be wary of any email asking for confidential data, and avoid clicking on suspicious links which could lead to a counterfeit site, difficult to distinguish from the original, thus putting your most valuable data in the hands of cyber crooks for their use and profit

September 26, 2022 ==> Phishing Intesa Sanpaolo

«SUBJECT: <Re:Annullate immediatamente questa transazione!> (Re:Cancel this transaction immediately!)

This new phishing attempt comes as a fake e-mail from Intesa Sanpaolo.


which, we would like to point out, redirects to a page that has nothing to do with the Intesa Sanpaolo's website, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

September 25, 2022 ==> Phishing BRT

«SUBJECT: <BRT - Avviso spedizione in consegna 986241136> (BRT - Delivery Shipment Notice 986241136)

We report this month several phishing scam, coming as emails from BRT.

The message informs the customer that his package has not been delivered, due to "additional unpaid customs clearance fees" . It then notifies the victim that the package will be delivered as soon as the charges are paid, which amount to: 1.99 Euro.
To proceed with payment, you are asked to click on the following link:
 
Invia il mio pacco (Send my package)

Examining the email, we observe that the message, extremely generic, comes from an email address outside the BRT's domain <support(at)geors(dot)ir> . In addition, unlike what happens in official BRT's messages, it has no reference about the tracking of the package managed by the shipping company. There are, however, at the bottom, some data allegedly referring to BRT.

The purpose is to get the user to click on the link Invia il mio pacco (Send my package). Thus he will then be directed to a malicious WEB page, which has nothing to do with the BRT's site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

September 20, 2022==> Phishing Aruba - Dominio scaduto (Expired domain)

«SUBJECT:< Il dominio è scaduto ed è stato sospeso a causa di fatture non pagate ! > (The domain has expired and has been suspended due to unpaid invoices !)

Here is another phishing attempt that comes as a false communication from Aruba.

The message informs the recipient that his domain, hosted on Aruba, will expire on 21/09/2022.  If the domain is not renewed by that date, it will be deactivated togheter with all associated services, including mailboxes. It then invites the user to renew the domain through the following link:

RINNOVA IL DOMINIO    (Renew the domain)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <postmaster(at)consorziovallealesa(dot)it>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link RINNOVA CON UN CLIC  (RENEW WITH A CLICK), will be redirected to an anomalous WEB page,which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

September 14, 2022 ==> SexTortion: "You have outstanding debt."

We find again this month the SexTortion-themed SCAM campaign. The e-mail seems to suggest that the scammer gained access to the victim's device, which he used to collect data and personal videos. He then blackmailed the user, by demanding the payment of a sum of money in the form of Bitcoin, not to divulge among his email and social contacts, a private video of him watching adult sites.

The following is an extract from the text, in English, of the email on the side:


" Around several months ago I have obtained access to your devices that you were using to browse internet. Subsequently, I have proceeded with tracking down internet activities of yours. Below is the sequence of past events: in the past, I have bought access from hackers to numerous email accounts (today that is a very straightforward task that can be done online). Clearly I have effortlessly logged in to email account of yours (^xxxxx). A week after that I have managed to install Trojan virus to Operating Systems of  all your devices that are used for email access. Actually  that was quite simple (because you were clicking the links in inbox emails)...The software of mine allows me to access to all controllers in your devices, such as videocamera, microphone and keyboard. I have managed to download all your personal data, as well as web browsing history and photos to my servers. I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history...While collecting your information, I have found out that you are a great fan of websites for adults....I have recorded several kinky scenes of yours and montaged some videos... If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos
with your friends, relatives and even collegues". 

You are then asked to send $1450 USD in Bitcoin to the wallet listed below: "1C2XXXXXXXXXXXXXXXXXXXXXX8EhA'. After receiving the transaction all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives, the victim has 48 hours to make the payment!

Examining the payments made on the wallet indicated by the cyber criminal as of 9/19/2022, we see that there are  3 transactions totaling $4012.81.

In such cases we always urge you:

1. not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service

September 13, 2022==> Smishing DM

We examine below a new smishing attempt hidden behind a fake text message from dm, the German chain store of cosmetics, health care items, and household products.

The message, in Croatian language, which we reproduce on the side, informs the victim of a promotion, namely gifts reserved for customers of the dm store chain. It then invites him to click on the proposed link:

http://amendmenthop[.]cn/dmdm[-]qfla/tb[.]php?ix=dz1663049105022

At first we notice that the alert, marked by the concise and essential layout, contains only a link and an image of dm's logo, that might mislead.

As we can see from the side image, the web page to which we are directed by the link in dm's text message, is graphically well laid out, since the dm logo has been included. We observe, however, that the web page is hosted on an anomalous domain:

ytzhtazhong[.]cn

DM consumers are asked to participate in a short survey in order to win a prize of 1000 Euros.

"Through the questionnaire, you will have a chance to win 1000 Euro."

The subsequent questions are very general.

Question 2

Question 3

Question 4

At the end of the questionnaire you will then be directed to another web page, where you are asked to choose a gift pack....After 3 attempts we finally manage to complete the questionnaire and get closer to the 1000 Euro prize!

The side image shows THE RULES to obtain the award, among which we are required to:

1. Inform 5 groups or 20 friends about the promotion
2. Enter e-mail address and complete registration
3. The gifts will be delivered within 5-7 days

In order to get your prize, you first need to share the message with 5 groups or 20 friends on the apps shown in the image, namely Whatsapp and Messenger. In this way the cybercriminal wants to spread the scam to other acquaintances and get as many data as possible.

To conclude, we always urge you to be wary of any email asking for confidential data, and avoid clicking on suspicious links which could lead to a counterfeit site, difficult to distinguish from the original, putting your most valuable data in the hands of cyber crooks for their use and profit.

September 13, 2022 ==> Phishing Account di posta (Email Account)

«SUBJECT: < Password Reset Confirmation >

We examine below the phishing attempt aimed at stealing the mailbox of the victim.

The message, in English, informs the recipient that his mail account password is expiring. In order to keep the password and have no interruption in the services related to his mail account, it is necessary to confirm the password, through the following link:

Click To update

When we examine the email, we notice that the message comes from an email address not traceable to any email provider <pass-sec(at)tech-center(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.


Anyone who unluckily clicks on the link Click To update  will be redirected to an anomalous WEB page,which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

September 05, 2022 ==> Phishing Aruba - Dominio scaduto  (Expired domain)

«SUBJECT: < Avviso Di Rinnovo > (Renewal Notice)

Here is another phishing attempt that is a fake communication from Aruba..

The message informs the recipient that his domain, hosted on Aruba, will expire on 11/10/2022. If the domain is not renewed by that date, it will be deactivated togheter with all associated services, including mailboxes. It then invites the user to renew the domain through the following link

RINNOVA IL DOMINIO  (Renew the domain)


Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <staff-aruba-rinnovo(at)info(dot)it>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link RINNOVA IL DOMINIO (Renew the domain)  will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes

September 05, 2022==> Phishing Aruba

«SUBJECT: <Re: Hai ricevuto un documento condiviso per ordine commerciale tramite Aruba.it > (Re: You received a shared document for commercial order through Aruba.it)

  Here we find again this month the following phishing attempt that comes as a false communication from Aruba.

The message informs the receiver that a new document shared via Aruba iCloud is available from a certain: <<finevra(at)gstradesrl(dot)it>> It then invites the user to view the PDF file through the following link:

Visualizza PDF in linea (View PDF online)

Clearly, the well-known web hosting, e-mail and domain registration services company, Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <gerd(dot)nielsen(at)mytng(dot)de>, is not from Aruba's official domain..

Anyone who unluckily clicks on the link Visualizza PDF in linea (View PDF online) will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

A little bit of attention and glance, can save a lot of hassle and headaches...

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on Phishing techniques for more details:

04/08/2022 16:39 - Phishing: the most common credential theft attempts in August 2022..
06/07/2022 12:39 - Phishing: the most common credential theft attempts in July 2022...
06/06/2022 14:30 - Phishing: the most common credential theft attempts in June 2022..
02/05/2022 11:06 - Phishing: the most common credential theft attempts in May 2022...
06/04/2022 16:51 - Phishing: the most common credential theft attempts in April 2022....
08/03/2022 17:08 - Phishing: the most common credential theft attempts in March 2022
03/02/2022 16:25 - Phishing: the most common credential theft attempts in February 2022.....
04/01/2022 09:13 - Phishing: the most common credential theft attempts in January 2022...
03/12/2021 15:57 - Phishing: the most common credential theft attempts in December 2021
04/11/2021 09:33 - Phishing: the most common credential theft attempts in November 2021.....
07/10/2021 14:38 - Phishing: the most common credential theft attempts in October 2021...
10/09/2021 15:58 - Phishing: the most common credential theft attempts in September 2021..

Try Vir.IT eXplorer Lite

f you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
• interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files
• it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through the  Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
• proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android^TM Devices

VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer)
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings

You can upgrade to the PRO version by purchasing it directly from our website https://www.tgsoft.it/italy/ordine_step_1.asp

 

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.

How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: : How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.


TG Soft's C.R.A.M. (Anti-Malware Research Center)