PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in
September 2023:
30/09/2023 =>
Istituto Bancario (Bank)
27/09/2023 =>
EuroPages
25/09/2023 =>
Shipment Advice
25/09/2023 =>
Aruba
14/09/2023 =>
Banca Popolare di Sondrio
12/09/2023 =>
NETFLIX
04/09/2023 =>
Banca Popolare di Sondrio
01/09/2023 =>
Istituto Bancario (Bank)
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.
September 30, 2023 ==> Phishing Istituto Bancario (BANK)
SUBJECT: <
[***] Verifica ! >
(Check)
The following is another phishing campaign, that spreads through an e-mail exploiting stolen graphics, or similar to the graphics of a well-known national banking institution, and tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his data and fall into a social engineering trap
.
The message informs the victim that the banking app will expire on 09.09.2023, and notifies him that, in order to use the online services, he must first verify his identity. We notice, right away, a mismatch between the date of the banking app expiration and the date of the email, which is a very anomalous thing.
To proceed with the verification, you need to click on the following link APPLICA ORA (APPLY NOW)
We can observe, right from the start, that the alert message comes from a highly suspicious e-mail address <administration(at)franceiservices(dot)fr>, containing a very generic text, although the cybercriminal had the graphic foresight to include, at the bottom, the well-known logo of the banking institution, as well as the real toll-free number. All these things could mislead an inexperienced user.
The purpose is to get the recipient to click on the link, that redirect to a web page already reported as a DECEPTIVE page. Indeed it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
September 27, 2023 ==> Phishing EuroPages
«SUBJECT:
<Hai (1) nuova richiesta sul tuo prodotto elencato su EuroPages> (You have (1) new request on your product listed on EuroPages)
We find again this month the following phishing attempt, coming as a false communication from
EuroPages, that aims to steal the login credentials of the victim's account.
The message, seemingly from
EuroPages - the largest international B2B sourcing platform - notifies the user about a received message, concerning his product listed on EuroPages, from a certain "Gunther Hans." It then invites the user to log into his account, to view the request message, via the following link:
ACCEDI AL MIO ACCOUNT (LOGIN TO MY ACCOUNT)
Analyzing the email, we notice that the message comes from an email address not traceable to the official
EuroPages' domain <
ino(at)eventsisoverato(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link
ACCEDI AL MIO ACCOUNT (LOGIN TO MY ACCOUNT), will be redirected to an anomalous WEB page, which has nothing to do with the official
EuroPages' website, but has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
September 25, 2023 ==> Phishing Shipment Advice
SUBJECT: <
**** Shipment Advice :: HBL77999-22 // LCL Container OF 281 Ctns>
This new phishing attempt claims to be a confirmation of a shipment order, with number:"
AWB COS2226284355A ORDER NO. 11201".
The message, in English, invites the recipient to download the shared document "CamScanner InterDoc2023.09.xlsx", to view the order. The link to download the files is:
Get your file
Analyzing the email, we notice that the message is characterized by the concise and essential textual layout, and seems to come from a highly suspicious email address <noreply_77999(at)
**** >.
In such cases, the first question to ask is whether the message could be addressed to us, i.e. whether we were waiting for an order confirmation, or whether we usually use this type of channel to receive orders from our customers. We point out, that it is always important to be careful before downloading attachments, or clicking on suspicious links. In case of doubt, in fact, it is preferable to verify the email, by calling directly the sender if he is one of our partners or a service provider.
Anyone who unluckily clicks on the link
Get your file,,will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. Indeed it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.
September 25, 2023 ==> Phishing Aruba - Rinnova il dominio (Renew the domain)
SUBJECT: <
COMUNICAZIONE DI SERVIZIO>
(SERVICE COMMUNICATION)
Here we find another phishing attempt, that comes as a false communication from
Aruba.
The message informs the recipient that his domain, hosted on
Aruba and linked to his e-mail account, will expire on 25/09/2023. It then asks him to manually renew his services, in order to avoid the deletion of the account and thus the deactivation of all the services associated with it, including the mailboxes and so the use of emails. He is also informed that, for any further information about the renewal or to get assistance, the
Aruba team is available online, to help him with the renewal process. Everything is done to increase the reliability of the message.
It then invites the user to log in to renew the services, via the following link:
RINNOVA IL DOMINIO (RENEW THE DOMAIN)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Examining the text of the message, we notice right away that the sender's e-mail address <callpharmachemtechco(at)pharmachemtech(dot)com(dot)au> is not from
Aruba's official domain.
Anyone who unluckily clicks on the link
RINNOVA IL DOMINIO (RENEW THE DOMAIN), will be redirected to an anomalous WEB page, which has nothing to do with the official
Aruba's website, but has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
September 12, 2023 ==> Phishing NETFLIX
«SUBJECT:
<NetflixOne>
We analyze this month the following phishing attempt, coming as a fake communication from
NETFLIX - the well-known streaming distribution platform for movies, TV series, and other paid content - that aims to steal the credit card information of the victim.
The message, graphically well laid out, appears to come from
NETFLIX, and seems to propose an amazing offer at 2.00 Euro per year for the annual subscription, to watch your favorite movies and TV series.
Then it invites the user to click on the following link, so as not to miss out on the fantastic offer:
Offerta limitata 2,00 € / Anno (Limited offer €2.00 / Year)
Analyzing the email, we notice that the message comes from an email address not traceable to the official
NETFLIX domain <
noel(at)daffertshofer(dot)de>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link
Offerta limitata 2,00 € / Anno (Limited offer €2.00 / Year), will be redirected to an anomalous WEB page.
From the side image, we observe that the web page where the user is asked to accredit to the platform, has nothing to do with NETFLIX, but seems to refer to a certain Delta Holder, and invites the user to create a new account.
In fact, at a glance, we notice that the login page is hosted on an anomalous address/domain...
https[:]//register[.]delta-holder[.]net/qchld/it/?aid.....
If you go on to create the account, which is necessary to activate the fantastic offer, you will probably be asked to enter your personal information and payment method, which will be used by cyber crooks with all the associated, easily imaginable, risks.
September 04 - 14, 2023 ==> Phishing Banca Popolare di Sondrio
«SUBJECT:
<Imр о rtа ntе : aggiornamento della nostra applicazione di sicurezza SCRIGNOIdentiTel. > (Imр о rtа nt : update of our security application SCRIGNOIdentiTel.)
We analyze below a new phishing attempt, that comes as a fake e-mail from
Banca Popolare di Sondrio, trying to steal the home banking login credentials of the victim.
The message, seemingly from
Banca Popolare di Sondrio, reports the release of a mandatory update to the SCRIGNOIdentiTel app, that allows the user to continue using online banking services securely and without interruption. To ensure that the update is completed correctly, the user should click on the proposed link, as soon as possible
Clearly people who are not
Banca Popolare di Sondrio's customers understand easier that this is a real scam. However even the customers of the bank can identify it as a real cyberscam attempt.
Let's see what are the alarm bells we should pay attention to.
First we notice that the message comes from an email address not traceable to the
Banca Popolare di Sondrio's domain. This is definitely anomalous, and should immediately make us suspicious.
Although the email looks graphically well done and has identifying references of
Banca Popolare di Sondrio in the signature - such as address, phone no. and website - that would seem trustworthy, it is decidedly peculiar that a link asking home banking credentials, is sent via email.
Anyone who unluckily clicks on the link
Aggiornare ora (Update now), will be redirected to an anomalous WEB page, which has nothing to do with the official
Banca Popolare di Sondrio's website.
From the image on the side we can see that the web page is graphically well done and is a fairly good simulation of
Banca Popolare di Sondrio's new official
Scrigno portal site.
To make it more trustworthy and induce the victim to access the portal, the cyber-criminals also had the foresight to footnote some authentic data of Banca Popolare di Sondrio, such as address and C.F./VAT number.
As we scroll down the page, we also notice that reassuring guidance is provided on how to request assistance and block the user if needed...all with the goal of further reassuring the user of the veracity of the portal, although many links present do not lead to any of the expected pages.
Given these considerations, we urge you to pay close attention to any misleading details, and to remember that before proceeding to enter sensitive data (in this case home banking credentials i.e. User Code and PIN), it is crucial to examine the url address where the authentication form is hosted.
The landing page, in this case, is hosted on the url address:
https[:]//formxxxc[-]arles[.]xx/wp1/online/login[.]php
which has nothing to do with
Banca Popolare di Sondrio's official website
.
This DECEPTIVE PAGE /SITE is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.
September 01, 2023 ==> Phishing Istituto Bancario
SUBJECT: <
Servizi istituto bancario: Avviso ! >
(Banking institution services: Notice!)
The following is another phishing campaign, that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well-known national banking institution, and tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his data, and fall into a social engineering trap
.
The message notifies the unsuspecting recipient that, for security reasons, access to his online account has been suspended and that, in order to restore the associated functionality, it is necessary to carry out the verification process, by clicking on the link Verifica ora. (Check now)
We can see right away that the alert message comes from a highly suspicious e-mail address <zapost(at)simbolodigital(dot)es> and contains a very generic text, although the cybercriminal had the graphic foresight to include the well-known logo of the banking institution, that could mislead the user.
The purpose is to get the recipient to open the attachment, which has already been reported as an DECEPTIVE file/page, as it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use it for illegal purposes.
A little bit of attention and glance, can save a lot of hassles and headaches....
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled..
We invite you to check the following information on Phishing techniques for more details:
01/08/2023 17:33
- Phishing: the most common credential and/or data theft attempts in August 2023...
03/07/2023 10:23
- Phishing: the most common credential and/or data theft attempts in July 2023....
07/06/2023 15:57
- Phishing: the most common credential and/or data theft attempts in June 2023.....
03/05/2023 17:59
- Phishing: the most common credential and/or data theft attempts in May2023...
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April2023....
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in March 2023..
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in February 2023...
02/01/2023 15:28
- Phishing: the most common credential and/or data theft attempts in January 2023...
02/12/2022 15:04
- Phishing: the most common credential and/or data theft attempts in December 2022..
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022...
05/10/2022 11:55 - Phishing: the most common credential and/or data theft attempts in October 2022...
06/09/2022 15:58 - Phishing: the most common credential and/or data theft attempts in September 2022..
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
- it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
- proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices
VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can downoad the Lite version, which can be freely used in both private and business settings..
You can upgrade to the PRO version by purchasing it directly from our website=> click here to order
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities, to our Research Center that allowed us to make this information as complete as possible.
How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
TG Soft's C.R.A.M. (Anti-Malware Research Center)
