PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in
November 2022:
30/11/2022 =>
Webmail
26/11/2022 =>
Aruba - Dominio scaduto (Expired domain)
24/11/2022 =>
Aruba - Rinnova il dominio (Renew the domain)
24/11/2022 =>
Netflix
23/11/2022 =>
Intesa Sanpaolo
16/11/2022 =>
Aruba - Rinnova il dominio (Renew the domain)
15/11/2022 =>
BPER - Smishing
13/11/2022 =>
Aruba - Rinnovo automatico (Automatic renewal)
09/11/2022 =>
Aruba - Rinnovo automatico (Automatic renewal)
09/11/2022 =>
Account di Posta elettronica (Email Account)
08/11/2022 =>
SCAM Polizia di Stato (Polizia di Stato)
03/11/2022 =>
Aruba
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences .
November 30, 2022 ==> Phishing Webmail
«SUBJECT:
<
***** Server - Inbox Failed Messages >
We examine below the phishing attempt aimed to steal the mailbox of the victim.
The message, in English, informs the recipient that incoming messages have been blocked by the mailbox administrator. The 35 new messages found to be blocked, are reported below, showing the recipient's e-mail address, the subject of the message, and the date and time it was sent. It then invites the victim to unblock the pending messages, through the following link:
RESOLVE MESSAGES (35)
When we examine the email, we notice that the message comes from an email address not traceable to any email provider <
sales(at)schmidt-handelsvertretung(dot)sbs>. This is definitely anomalous and should, at the very least, make us suspicious
.
Anyone who unluckily clicks on the link
RESOLVE MESSAGES (35), will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected, is hosted on an abnormal address/domain, which we show below:
https[:]//bafybeicgrjttide44mwhy4ychhspu....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks, with all the associated easily imaginable risks .
November 26, 2022 ==> Phishing Aruba - Dominio scaduto (Expired domain)
«SUBJECT <
Il tuo nome a dominio è scaduto, rinnovalo prima di disattivare tutti i servizi ad esso associati>
(Your domain name has expired, renew it before all services associated with it are deactivated)
Here is another phishing attempt that looks like a fake communication from
Aruba.
In the example shown on the side, the message informs the recipient that his domain hosted on
Aruba, will expire on
26/11/2022. If the renewal is not done by that date, the domain and all associated services - including mailboxes - will be deactivated and subsequently deleted. It then urges the user to renew the domain to keep it exclusive and prevent it from being used by others. The renewal procedure is available through the following link, by entering LOGIN and PASSWORD.
RINNOVA CON UN CLIC (RENEW WITH A CLICK)
Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient!!!
Examining the text of the message, we notice right away that the sender's e-mail address <
support(at)crewconsulting(dot)it> is not from
Aruba's official domain.
Anyone who unluckily clicks on the link
RINNOVA CON UN CLIC (RENEW WITH A CLICK), will be redirected to an anomalous WEB page which has nothing to do with the official site of
Aruba, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
November 24, 2022 ==> Phishing Netflix
«SUBJECT: <
Please update your account information>
This new phishing attempt is a fake e-mail from
Netflix.
The message, in English, alerts the unsuspecting recipient, that problems have been encountered with his billing information. It then invites him to check his payment information and update it if necessary. To update his data, he can proceed through the following link:
Update
The alert message comes from an email address <cent32(at)bargolpaoa(dot)restaurant> unrelated to the Netflix domain and contains very generic text, although the cybercriminal had the graphic foresight to include the well-known logo of the streaming distribution company for movies and TV series.
The purpose is to get the recipient to click on the link Update which, we would like to point out, redirect to a page that has nothing to do with the Netflix's website, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
November 23, 2022 ==> Phishing Intesa Sanpaolo
«SUBJECT: <
Verifica le tue informazioni!>
(Verify your information!)
this new phishing attempt is a fake e-mail from
Intesa Sanpaolo.
The message notifies the unsuspecting recipient that online access to his bank account has been suspended for security reasons. It then invites him to verify his personal information "to restore the functionality of his account and thus confirm that he has not been a victim of computer theft." To carry out the verification process, it is necessary to access your bank account through the following link:
Verifica ora (Check now)
The alert message comes from an email address <c(at)normo(dot)pt> unrelated to the Intesa Sanpaolo's domain and contains a very generic text, although the cybercriminal had the graphic foresight to include the well-known Intesa Sanpaolo logo that could mislead the user.
The purpose is to get the recipient to click on the link Verifica ora (Check now) which, we would like to point out, redirect to a page that has nothing to do with the Intesa Sanpaolo site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
..
November 24 and 16, 2022 ==> Phishing Aruba - Rinnovo automatico (Automatic renewal)
«SUBJECT: <
Avviso Di Rinnovo>
(Renewal Notice)
«SUBJECT: <
Rinnovate la vostra registrazione di hosting.>
(Renew your hosting registration)
Here is another phishing attempt consisting of a false communication from
Aruba.
In the example shown on the side, the message informs the recipient that his domain hosted on
Aruba, will expire on
17/11/2022. If the renewal is not done by that date, the domain and all associated services, including mailboxes, will be deactivated and subsequently deleted. He then urges the user to renew the domain, to keep it exclusive and prevent it from being used by others. The renewal procedure is available through the following link:
RINNOVA IL DOMINIO (RENEW THE DOMAIN)
Clearly, the well-known web hosting, e-mail and domain registration services company,
Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Examining the text of the message we notice right away that the sender's e-mail address <
no-reply(at)protezionecivilelumezzane(dot)it> is not from the official domain of
Aruba.
Anyone who unluckily clicks on the link
RINNOVA IL DOMINIO (RENEW THE DOMAIN), will be redirected to an anomalous WEB page which has nothing to do with the official site of
Aruba, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
November 15, 2022 ==> Smishing BPER
We examine below a new smishing attempt behind a fake text message from
BPER.
The message, which we quote on the side, alerts the unsuspecting recipient, that abnormal use of his card linked to his BPER account has been detected. It then invites him to verify his identity, through the proposed link:
"http://bit[.]do/certificasicurezza"
At first we see that the message is misleading. The link given in fact could mislead the user who, driven by haste is induced, for security reasons, to click on the link to block his credit card linked to the account BPER.
The purpose is to get the recipient to click on the link "http://bit[.]do/certificasicurezza", to redirect him to an anomalous WEB page which has nothing to do with the official site of BPER, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
November 13 and 09, 2022 ==> Phishing Aruba - Rinnovo automatico (Automatic renewal)
«SUBJECT: <
[Aruba.it] Rinnovo automatico dei tuoi servizi >
(Automatic renewal of your services)
Here is another phishing attempt coming as a false communication from
Aruba.
The message informs the recipient that the automatic renewal of his services hosted on
Aruba (hosting and domains, Email address...) was not successful. It therefore invites the victim to check his banking information. It then urges the user to renew the domain manually, in order not to lose all the services linked to his Aruba account, through the form available at the following link:
ACCEDETE AL VOSTRO MODULO DI PAGAMENTO (LOGIN TO YOUR PAYMENT FORM)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Examining the text of the message, we notice right away that the sender's e-mail address <
support(at)crepesgranosaraceno(dot)com> is not from the official domain of
Aruba.
Anyone who unluckily clicks on the link
ACCEDETE AL VOSTRO MODULO DI PAGAMENTO (LOGIN TO YOUR PAYMENT FORM), will be redirected to an anomalous WEB page which has nothing to do with the official site of
Aruba, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
November 09, 2022 ==> Phishing Account di posta (Email Account)
«SUBJECT: <
RE: Audit Report >
We examine below the phishing attempt aimed to steal the mailbox of the victim.
The message informs the recipient that 1 file is available in the folder named "
CamScanner ****112022.xlsx" . It then invites him to download the file, via the following link:
Get your file
Examining the email, we observe that the message comes from an email address not traceable to any email provider <secured_file98685(at)****(dot)it>, but appears to come from the recipient's domain. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link
Get your file will be redirected to an anomalous WEB page which, as you can see from the image on the side, has nothing to do with the e-mail account manager.
The page to which you are redirected is hosted on an abnormal address/domain, which we show below:
https[:]//s3[.]amazonaws[.]com/appforest_uf/f166....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks, with all the associated easily imaginable risks .
November 08, 2022 ==> SCAM POLIZIA (POLICE)
«SUBJECT: <
Risposta Urgent Convocazíone>
(Urgent Response Convocation)
The following is a SCAM attempt. It is a false citation for child pornography, coming via email, apparently from "
Mr.Lamberto Giannini, Chief of Police and Director General of Publica Security" .
The message, that comes through a highly suspicious email <
ballestrazzi8(at)gmail(dot)com>, contains only a .jpg file named <
MANDED-PJ01574>. When we open the attachment, which we see below, we see that it is set up in a graphically deceptive way, and seems to be signed by
Mr. Lamberto Giannini himself. The message contains a complaint - referred to child pornography, pedophilia, exhibitionism and cyberpornography - made after the victim's supposed visit to a child pornography site.
This is a scam attempt by cyber criminals, whose goal is to extort a sum of money, in this case in the form of a fine. In fact, the message states the following:
"You are requested to email us your reasons so that they are examined and verified in order to assess the sanctions, within a strict period of 72 hours."
If the victim does not reply within 72 hours, a complaint and arrest warrant will be filed, as well as the threat to release the video to the media. It is quite simple to realize that this is a false complaint. In fact we observe that, first the complaint is not personal, besides the document contains a very suspicious stamp, and there is also incongruity in the reported contact emails.
Clearly, this is a scam attempt, aiming at stealing sensitive user data and extorting sums of money...
November 03, 2022 ==> Phishing Aruba - Rinnova il dominio (Renew the domain)
«SUBJECT: <
Avviso Di Rinnovo >
(Renewal Notice)
Here is another phishing attempt consisting of a false communication from
Aruba.
The message informs the recipient that his domain hosted on
Aruba will be suspended on
05/11/2022, due to unpaid invoices. If payment is not completed by that date, the domain and all associated services - including mailboxes - will be deactivated and subsequently deleted. He then invites the user to renew the domain to keep it exclusive and prevent it from being used by others. The renewal procedure is available through the following link:
RINNOVA IL DOMINIO (RENEW THE DOMAIN)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient
Examining the text of the message, we notice right away that the sender's e-mail address <
staff-aruba-renew(at)info(dot)it> is not from
Aruba's official domain.
Anyone who unluckily clicks on the link
RINNOVA IL DOMINIO (RENEW THE DOMAIN), will be redirected to an anomalous WEB page, which has nothing to do with the official site of
Aruba, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
.
A little bit of attention and glance, can save a lot of hassle and headaches....
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
We invite you to check the following information on Phishing techniques for more details:
05/10/2022 11:55 - Phishing: the most common credential theft attempts in October 2022...
06/09/2022 15:58 - Phishing: the most common credential theft attempts in September 2022..
04/08/2022 16:39 - Phishing: the most common credential theft attempts in August 2022..
06/07/2022 12:39 - Phishing: the most common credential theft attempts in July 2022...
06/06/2022 14:30 - Phishing: the most common credential theft attempts in June 2022...
02/05/2022 11:06 - Phishing: the most common credential theft attempts in May 2022...
06/04/2022 16:51 - Phishing: the most common credential theft attempts in April 2022...
08/03/2022 17:08 - Phishing: the most common credential theft attempts in March 2022.
03/02/2022 16:25 - Phishing: the most common credential theft attempts in February 2022..
04/01/2022 09:13 - Phishing: the most common credential theft attempts in January 2022...
03/12/2021 15:57 - Phishing: the most common credential theft attempts in December 2021....
04/11/2021 09:33 - Phishing: the most common credential theft attempts in November 2021....
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M.
- proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website
VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices
VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings
You can upgrade to the PRO version by purchasing it directly from our website https://www.tgsoft.it/italy/ordine_step_1.asp
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.
How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
TG Soft's C.R.A.M. (Anti-Malware Research Center)
