PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in
OCTOBER 2023:
26/10/2023 =>
Account di Posta elettronica (Email account)
25/10/2023 =>
SexTortion
25/10/2023 =>
Mooney
25/10/2023 =>
Europages
25/10/2023 =>
Smishing -
Sparkasse
23/10/2023 =>
Smishing -
Il vostro ordine è bloccato (Your order is blocked)
19/10/2023 =>
Aruba - Rinnova il dominio (Renew the domain)
14/10/2023 =>
Istituto Bancario (Bank)
07/10/2023 =>
Aruba - Rinnova il dominio (Renew the domain)
07/10/2023 =>
Istituto Bancario (Bank)
06/10/2023 =>
Istituto Bancario (Bank)
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.
October 26, 2023 ==> Phishing Account Posta Elettronica (Email Account)
SUBJECT:<NOTICE!!! Email Storage Full>
We analyze below the phishing attempt, that aims to steal the victim's e-mail account credentials.
The message, in English, informs the recipient that the storage space is almost full, and soon it will not be possible to receive new messages. It then invites him to increase the storage space to continue using his mail account, by clicking on the following link:
Reset storage
If we analyze the email, we notice that the message comes from an email address <no-reply(at)gsmedi(dot)com>, not traceable to the mailbox server. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link Reset storage, will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
October 25, 2023==> SexTortion
This month we find the SexTortion-themed SCAM campaign again. The e-mail seems to suggest that the scammer has accessed the victim's device and, as alleged proof of the breach, the cyber criminal shows an e-mail apparently from the victim's e-mail address. In these cases, the address is simulated with labels to resemble a breach in the victim's account. The purpose, of course, is to require the payment of a sum of money, in Bitcoin, in order not to divulge among his/her email and social contacts a private video of him looking at adult sites.
The following is an extract from the text of the email on the side:
"Have you seen lately my e-mail to you from an account of yours?
Yeah, that merely confirms that I have gained a complete access to device of yours. Within the past several months, I was observing you. Are you still surprised how could that happen? Frankly speaking, malware has infected your devices and it’s coming from an adult website, which you used to visit. Athough all this stuff may seem unfamiliar to you, but let me try to explain that to you. With aid of trojan Viruses, I managed to gain full access to any PC or other types of devices. That merely means that I can watch you whenever I want via your screen just by activating your camera as well as microphone, while you don’t even know about that. Moreover, I have also received access to entire contacts list as well as full correspondence of yours. You may be wonderig “However , my PC is protected by a legitimate antivirus, so how that happen? Why couldn’t I get any alerts?”. To be honest , the reply is very straightforward: malware of mine utilizes drivers, which update the signatures on 4 hurly basis, which turns them to become untraceable, an hereby making you antivirus remain idle. I have collected a video on the left screen where you enjoy wanking, while the video on the right screen shows the video you were watching at that point of time. Still puzzled how much damage could that cause? One mouse click is enough for me to share this video to your social networks, as well as e-mail contacts of yours. In addition, I am also able to gain access to all e-mail correspondence as well as messengers used by you.”
It is then requested to send 1550 USD in Bitcoin to the following wallet:"1P28XXXXXXXXXXXXXXXXXXXXXXXLvn'. After receiving the transaction all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives, the unfortunate person has 48 hours to make the payment!"
On the mentioned wallet, as of
30/10/2023, there are
3 transactions amounting to
2950.55 USD.
In such cases we always urge you to:
- not to respond to these kinds of emails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
- if the criminal reports an actual password used by the user – usually a password obtained from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is recommended to change it and enable two-factor authentication on that service.
October 25, 2023==> Phishing Mooney
SUBJECT: < MESSAGGIO IMPORTANTE > (IMPORTANT MESSAGE)
Below we analyze the following phishing attempt, coming as a false communication from Mooney, the Italian Proximity Banking & Payments company.
The message informs the recipient that his or her account is temporarily locked, due to an update error.
It then invites him or her to update the profile, through the following link:
Clicca qui (Click here)
This time, the phishing campaign simulates a communication from the Italian online payment company Mooney, which is clearly unrelated to the mass sending of these emails, that are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Analyzing the text of the message, we notice right away that the alert message comes from an e-mail address not traceable to Mooney's domain <support(at)delsanva(dot)com>, although the cybercriminal had the foresight to include the company's well-known logo. Let's always pay close attention before clicking on suspicious links.
Anyone who unluckily clicks on the link Clicca qui (Click here), will be redirected to an anomalous WEB page, which has nothing to do with the official Mooney's website, but has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.
October 25, 2023 ==> Phishing EuroPages
«SUBJECT: <Klaus Heinrich ti ha inviato un messaggio di richiesta sul tuo prodotto>
(Klaus Heinrich has sent you a message requesting your product.)
We find again this month the following phishing attempt, coming as a fake EuroPages communication, and aiming to steal the victim's account credentials
The message, seemingly from EuroPages, the largest international B2B sourcing platform, alerts the user of a message received from a certain "Klaus Heinrich", regarding his or her product listed on the platform. It, then, invites the user to log into his or her account to view the request message, using the following link:
ACCEDI AL MIO ACCOUNT (LOGIN TO MY ACCOUNT)
Analyzing the email, we notice that the message comes from an email address not traceable to the official domain of EuroPages <info(at)gladiuspescara(dot)it>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link ACCEDI AL MIO ACCOUNT (LOGIN TO MY ACCOUNT), will be redirected to an anomalous WEB page.
From the side image, we see that the web page seems more traceable to Aruba's page, whose well-known logo is also shown. In fact, we are asked to log into our Aruba e-mail account to confirm our identity, and to be redirected to the site of EuroPages, to view the request message about the product.
At a glance, however, we observe that the login page is hosted on an anomalous address/domain...
https[:]//cerensa[.]com/wp-admin/user/dxb02l0g1n/8d8dea056d.....
If you enter your data in this FORM, to carry out their verification/confirmation, the data will be sent to a remote server and used by cyber crooks with all the consequent, easily imaginable, risks .
.
October 25, 2023 ==> Smishing SPARKASSE
We analyze below a new smishing attempt, that claims to be a text message communication from
SPARKASSE.
Specifically, this is an alert text message, notifying the recipient that the App - supposedly related to home banking - has been accessed by a device in Poland. A link is then given, to block the suspicious user.
If the recipient of the text message is not a
SPARKASSE customer, he or she will certainly more easily understand the anomaly in the message. But even if he or she were a customer of the well-known banking institution, the recipient should at least remember that, under no circumstances, banking institutions require customers to provide personal data - and especially home banking credentials - via SMS or e-mail.
In fact, it is immediately clear from the suspicious text message, that the cyber criminals want to push the user, alerted by the report of anomalous access, to promptly click on the link: https:
https://urlz[.]**/o***
However, already at a glance, it does not correspond to the official website of the well-known banking institution; in fact, it redirects to a page, that has nothing to do with the official website of
SPARKASSE.
Let’s analyze it in detail below.
As we can see from the image shown, the web page where we are redirected by the link in the text message, simulates quite well the official site of
SPARKASSE, and is set up in a reasonably deceptive way for an inexperienced user, both graphically and textually.
To reassure the user about the authenticity of the page, the cyber-criminals had in fact the foresight to insert the authentic logo of
SPARKASSE and set the page with the same graphics as the official website.
First you are asked to enter your
First Name, Last Name, and Mobile Phone Number, so that you can complete the initial identification step ''Verify your identity''. If we enter fake data and click CONFIRM, after an initial data-processing screen, follows another, even more suspicious login request, that hides the scammers' real goal: to steal home banking access codes.
In fact, as we can see, the entry of
User Code or Alias and Password is required.
Although the authentication FORM appears to be well done, we urge you to pay particular attention to the url address of the account management login page.
This is in fact hosted on an address/domain that has nothing to do with
SPARKASSE.
If you enter our personal information on this FORM, to log in to your
SPARKASSE checking account, it will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks
.
To conclude, we always urge you to be wary of any form that asks you to enter confidential information, and to avoid clicking on suspicious links that may lead you to a fake site, difficult to distinguish from the original one. Therefore you should not enter your bank account access information, credit card information, or any other sensitive data for any reason, if you are not certain of the site... otherwise you will put your most valuable data in the hands of cyber criminals.
.
October 23, 2023 ==> Smishing ''Il vostro ordine è bloccato'' (Your order is blocked)
Below we analyze a new attempt to steal sensitive data, that comes through a misleading text message.
The message, which we show on the side, refers to a pending shipment. In fact, it informs the unsuspecting recipient that the order is stuck due to non-payment of customs fees.
It is necessary to click on the proposed link, to get more information and proceed to unblock the shipment.
The first red flag about the authenticity of the alert, is the origin of the message. Indeed, it is not clear from whom the text message comes, since the courier company, to which the shipment was entrusted, is not reported. In addition, no identifying information about the shipment is mentioned, such as the order number or tracking reference.
The purpose is clearly to get the user to click on the link:
upxxxd.info/kxxxxr3
which redirects to a web page that has, as always, the goal of inducing the user to enter sensitive data.
Let us analyze it in detail below
The link on the text message redirects us to a web page that should simulate the official website of an express courier, however we can’t identify it.
Although the site is graphically well done, in fact, there are no logos or official data of the courier company entrusted with the shipment. We also observe that the url address on the broswer bar is anomalous, and not traceable to any transportation company.
A first screen shows a precise reference tracking code (910029334). Then, by clicking on ''Traccia il tuo articolo'' (Track your item), another screen follows, where we are notified that the delivery is pending at the distribution center, due to non-payment of customs fees corresponding to Euro 2.00.
The url address, always abnormal, remains unchanged.. find[.]locateandsend[.]com
Continuing on, after clicking on ''Programma la consegna adesso'' (Schedule delivery now), we are presented with a new screen, inviting us to choose the new delivery mode, followed by a further one, where we are asked to indicate when we prefer the delivery.
We are finally at the end of the shipment rescheduling procedure, which should conclude with the confirmation of the data. We notice, however, that in order for delivery to take place, the payment of shipping charges is required...
Here's the surprise
After clicking on ''
Inserisci le informazioni per la consegna'' (Enter delivery information), we are in fact redirected to a data entry FORM that requires - in addition to ''First Name'', ''Last Name'' ''Address'' ''Phone Number'' ''E-Mail'' - the credit card data, to proceed to the payment of the small amount of € 3.00 (which initially seemed to be Euro 2.00 ...), related to the shipping costs of the package.
We see that the form page, is hosted on a url address different from the one seen previously, but which is anyway completely untrustworthy, and with no reference to any transportation company site.
The purpose of the entire thing, is to prompt the user to enter his or her personal data.
On the side, we show in detail the screenshot of the completion form.
To conclude, we always urge you to be wary of any email that asks for confidential data, and avoid clicking on suspicious links, which may lead to a counterfeit site, difficult to distinguish from the original one, thus putting your most valuable data in the hands of cyber crooks.
October 14, 2023 ==> Phishing Istituto Bancario (Bank)
SUBJECT: <Aggiorna subito le tue informazioni ⚠ > (Update your information now)
The following is another phishing campaign, that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well-known national banking institution, and tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his data and fall into a social engineering trap.
The message, this time, uses the false communication of a new partnership with the Postal Police, to protect its account holders from online scams:
"We are pleased to inform you that we have finally set up a partnership with the Postal Police in response to the attacks on the bank systems in recent years."
The intention is to lead the victim to update his or her bank account, to make the new security measures taken operational.
To proceed with the update, it is necessary to click on the following link ACCEDI ALLA TUA BANCA ONLINE. (ACCESS YOUR ONLINE BANK)
We can see from the outset that the alert message comes from an e-mail address <tigoo(at)mail(dot)seagm(dot)com> that is very suspicious and contains very general text, although the cybercriminal had the graphic foresight to include the well-known banking institution logo. All this could mislead an inexperienced user.
The purpose is to get the recipient to click on the link, that redirect to a web page already reported as a DECEPTIVE page. Indeed it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
07 - 19 October 2023 ==> Phishing Aruba - Rinnova il dominio (Renew the domain)
Below we report the following phishing attempts we find this month, coming as a false communication from
Aruba.
EXAMPLE 1
< PROMEMORIA: Dominio con account di posta in scadenza>
(REMINDER: Domain with expiring mail account)
EXAMPLE 2
«Rinnova il tuo dominio **** in scadenza»
(Renew your expiring **** domain)
In the examples above, which are very similar, the customer is notified that his/her domain, hosted on Aruba, is about to expire and he/she is therefore invited to renew it before expiration. He/she is also warned that if the domain is not renewed, all services associated with it will be deactivated, including the mailboxes, and he/she will consequently no longer be able to receive and send messages. The user is then invited to re-new the domain through the links provided in the email.
The purpose is clearly to get the user to click on the link in the email:
RINNOVA IL DOMINIO (RENEW THE DOMAIN) or RINNOVA ORA CON UN CLICK (RENEW NOW WITH A CLICK)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
In order to detect these phishing attempts, it is first of all necessary to analyze the sender's e-mail address. In the 2 cases examined the email addresses are: <
infos(at)homespl(dot)com>; Communications_Aruba (Here the address is hidden). In both cases (even though the second is not shown) they surely do not come from the official
Aruba's domain.
These messages are very often poorly written emails containing spelling errors, or renewal requests for services that are not expiring, as they leverage urgency or security of the user's data, to get him or her to enter his or her information.
We should also analyze the links or attachments that these messages contain, which usually redirect to a counterfeit website where we are asked to enter our personal information, such as our account username and password, or personal information such as credit card, to make account renewals. If we enter this information, it would be used by cyber criminals for malicious purposes.
06 - 07 October 2023 ==> Phishing Istituto Bancario (Bank)
We find again this month many phishing campaigns, that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well-known national banking institution, and tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his data and fall into a social engineering trap.
EXAMPLE 1
SUBJECT: <Importante: Attiva il nuovo sistema di sicurezza web>
(Important: Activate the new web security system)
EXAMPLE 2
SUBJECT: <La tua carta sarà limitata dal 09/10/2023>
(Your card will be limited from 09/10/2023)
In example 1, the message informs the unsuspecting recipient that, from October 9, he or she will no longer be able to use his or her card unless he or she activates the new web security system, which provides greater security and reliability in online transactions. To induce the receiver to click we emphasize the speed of the procedure, which takes only 3 minutes; to proceed the following link is provided
Clicca qui (
Click here).
In example 2, instead, the recipient is notified that the use of his or her credit card will be restricted from October 9. Reactivation will take place through registration ( free of charge) with a security service, accessible from the link
ACCEDI ALLA TUA BANCA VIA INTERNET. (
ACCESS YOUR BANK VIA INTERNET)
We can see right away that both alert messages come from e-mail addresses that are very suspicious and not traceable to the well-known Banking Institution. Both texts are very general but both feature the well-known banking institution logo. In example 1, the cybercriminal had the additional foresight to also include the authentic VAT number of the Bank. All of this could mislead an inexperienced user, who, driven by haste and by the desire for more security, could click on a counterfeit link.
The purpose remains to lead the recipient to click on the link that will redirect him to a web page already reported as a fraudulent, because it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.
A little bit of attention and glance, can save a lot of hassles and headaches....
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled..
We invite you to check the following information on Phishing techniques for more details:
05/09/2023 10:35 - Phishing: the most common credential and/or data theft attempts in September 2023...
01/08/2023 17:33
- Phishing: the most common credential and/or data theft attempts in August 2023....
03/07/2023 10:23
- Phishing: the most common credential and/or data theft attempts in July 2023.....
07/06/2023 15:57
- Phishing: the most common credential and/or data theft attempts in June 2023.....
03/05/2023 17:59
- Phishing: the most common credential and/or data theft attempts in May2023.....
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April2023.....
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in March 2023...
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in February 2023.
02/01/2023 15:28
- Phishing: the most common credential and/or data theft attempts in January 2023.....
02/12/2022 15:04
- Phishing: the most common credential and/or data theft attempts in December 2022...
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022.
05/10/2022 11:55 - Phishing: the most common credential and/or data theft attempts in October 2022..
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
- it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
- proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices
VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can downoad the Lite version, which can be freely used in both private and business settings.
You can upgrade to the PRO version by purchasing it directly from our website=> click herer to order
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities, to our Research Center that allowed us to make this information as complete as possible.
How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware
TG Soft's C.R.A.M. (Anti-Malware Research Center)
