PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in April 2022:

25/04/2022 => Account di posta elettronica (Email Account)
19/04/2022 => Aruba - Avviso di sospensione dell'account (Account suspension notice)
19/04/2022 => Account Posta (Email Account)
13/04/2022 => Aruba - Avviso di sospensione dell'account (Account suspension notice)
06/04/2022 => Account di posta elettronica (Email Account)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible, easily imaginable, consequences.

• A little bit of attention and glance, can save a lot of hassle and headache...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

April 25, 2022 ==> Phishing Account di Posta elettronica (Email Account)

«SUBJECT: < avvertimento: la tua password scade  101#-291 .>  (warning: your password expires 101#-291)

This month again we find the following phishing attempt, aimed to steal the email inbox of the victim.

The message notifies the user that his mailbox password will expire soon. It then prompts the user to confirm his password to continue using it, via the following link:

CONTINUA A UTLIZZARE LA PASSWORD ATTUALE  (KEEP USING YOUR CURRENT PASSWORD )

Examining the email, we notice that the message comes from an email address not  traceable to any email provider <info(at)boa(dot)org>, and it clearly does not come from the recipient's domain. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link  CONTINUA A UTLIZZARE LA PASSWORD ATTUALE  (KEEP USING YOUR CURRENT PASSWORD ), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes...

April 19, 2022 ==> Phishing Aruba "Avviso di sospensione dell'account" (Account suspension notice)

«SUBJECT: < Avviso di sospensione dell'account > (Account suspension notice)

Here we find another phishing attempt, coming as a false communication from Aruba.

The message informs the recipient that an error has been detected in the Aruba web service. Some of the incoming emails were put on hold by the Aruba server system.

The user is then urged to immediately reset the Aruba account, to avoid permanent restrictions and view incoming emails, via the following link:

Clicca qui per convalidare (Click here to validate)


Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <infos(at)maildc1519218346(dot)mihandns(dot)com>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link Clicca qui per convalidare (Click to validate). will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

19 April 2022 ==> Phishing Webmail

«SUBJECT: <File recommendation Statement>

This phishing attempt aims to steal the access password to the mailbox.

The message informs the user that a file is available for sharing, and the file name <**** recommendation Statement.pdf> is also given. To retrieve the file, it is necessary to click on the following link:

Open

Examining the email we notice that the message, marked by the concise and essential textual layout, comes from a misleading email address that mimics the Dropbox  (file hosting service, cloud storage, automatic file synchronization, personal cloud and client software) address<noreply(at)dropbox(dot)com>.

Anyone who unluckily clicks on the link Open Will be redirected to a WEB page that has nothing to do with the Dropbox's website but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

13 April 2022 ==> Phishing Aruba "Avviso di sospensione dell'account"

(Account suspension notice)

«SUBJECT: < Avviso di sospensione dell'account > (Account suspension notice)

Here we find another phishing attempt coming as a false communication from Aruba.

The message informs the recipient that an error has been detected in the Aruba web service. Some of the incoming emails were put on hold by the Aruba server system..

The user is then urged to immediately reset the Aruba account to avoid permanent restrictions and view incoming emails, via the following link:

Clicca qui per convalidare (Click here to validate)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient..

Examining the text of the message, we notice right away that the sender's e-mail address <info(at)maildc1519219286(dot)mihandns(dot)com>, is not from Aruba's official domain. 

Anyone who unluckily clicks on the link Clicca qui per convalidare (Click here to validate)
will be redirected to a WEB page that has nothing to do with the mailbox server.
If you enter your data on this FORM to perform verification/confirmation of your data, the data will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks

06 April 2022 ==> Phishing Account di Posta elettronica (Email Account)

«SUBJECT:<AVVISO: lo spazio di archiviazione delle cassette postali ha raggiunto il limite critico...> (NOTICE: Mailbox storage space has reached critical limit.)

Here is another phishing attempt aimed to steal the mailbox of the victim.

The message notifies the user that the mail storage space is almost full, then invites him to increase the storage space by 15GB.
It then invites him to click on the following link to receive an additional 15GB:

ATTIVA  (ACTIVATE)

Examining the email, we notice that the message comes from an email address not appear traceable to any email provider <scanner(at)vodafonedsl(dot)it>, and it clearly does not come from the recipient's domain. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link ATTIVA (ACTIVATE), will be redirected to an anomalous WEB page. From the image below we notice that an authentication mask appears asking you to enter the password of the mailbox.

The next screen is very bare and with no information, especially about the e-mail provider.
At a glance we notice especially that the login page has an anomalous address/domain....
In the image we can see that the page hosting the authentication form is:

https[:]//rwlogisticalcorp[.]com/Web[-]do[-]Valibator...