PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in
April 2023:
24/04/2023 =>
Account Posta Elettronica (Email account)
23/04/2023 =>
Exodus wallet
18/04/2023 =>
Smishing UniCredit
18/04/2023 =>
Istituto Bancario (Bank)
17/04/2023 =>
eMailBox
14/04/2023 =>
Aruba
11/04/2023 =>
SexTortion
11/04/2023 =>
Account Posta Elettronica (Email account)
11/04/2023 =>
MPS
10/04/2023 =>
DHL
09/04/2023 =>
BPER Banca (Bank)
07/04/2023 =>
Account Posta elettronica (Email account)
05/04/2023 =>
Aruba - Mancato Rinnovo (Non-Renewal)
05/04/2023 =>
MPS
03/04/2023 =>
Aruba - Dominio scaduto (Expired domain)
03/04/2023 =>
SexTortion
02/04/2023 =>
DHL
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences .
April 24, 2023 ==> Phishing Account Posta Elettronica (Email Account)
«SUBJECT: <
Notifica: messaggi in sospeso per (*******) - 4/24/2023 3:53:26 a.m.>
(Notification: pending messages for (*******) - 4/24/2023 3:53:26 a.m)
We examine below another phishing attempt aimed to stea the credentials of the victim's e-mail account.
The message, in English, informs the recipient that incoming messages have been blocked due to a validation error. It then invites him to click on the link shown in the email to move the messages to the inbox, via the following link:
RILASCIA EMAIL IN ATTESA (27) (RELEASE PENDING EMAIL (27))
Examining the email, we realize that the email address of the message isn't referable to the server hosting the mailbox <
blenobia(at)ibw(dot)com(dot)ni>. This is definitely abnormal and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link
RILASCIA EMAIL IN ATTESA (27)
(RELEASE PENDING EMAIL (27)) will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected to enter your mail account credentials, is hosted on an strange address/domain, which we report below:
https[:]//ipfs[.]io/ipfs/QmYcw5bR5n....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easy imaginable risks .
April 23, 2023 ==> Phishing Exodus wallet
«SUBJECT: <
You have succesfully linked your wallet to binance>
We examine below a new phishing attempt that aims to steal the credentials of the victim's
Exodus online wallet.
Exodus is an offline wallet, which was created in 2015 to store people's cryptocurrencies.It is one of the most popular wallets as it provides greater security by being offline, it is also easy to use and supports several cryptocurrencies among the most widely used (Bitcoin, Lightning Network, Ethereum, Tether and others).
The message, in English, which we examine below, informs the recipient that there is an opportunity to link his
Exodus wallet to the Binance platform (cryptocurrency exchange platform). In fact he will be able to use the Binance interface to request approval for transactions, view the balance and activity of his wallet. It then invites him to confirm the request to link his wallet to the Binance platform, or to cancel it if he didn't request the service, through the following link:
CANCEL REQUEST
Examining the e-mail we notice that the message comes from a highly suspicious e-mail address, which does not seem referable to the official Exodus domain <
develop(at)agasa(dot)tech>. This is definitely anomalous and should, at the very leas,t make us suspicious.
Anyone who unluckily clicks on the link
CANCEL REQUEST will be redirected to an anomalous WEB page which, as you can see from the side image, is graphically well laid out and can mislead an inexperienced user.
The page to which you are redirected, appears to be true since there is an option to cancel the request or confirm it by logging in and entering your wallet credentials. We see however that it is hosted on a strange address/domain, which we report below:
https[:]//exds-stps[.]online/exodus[.]php
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
April 18, 2023 ==> Smishing UniCredit
We examine below a new smishing attempt behind a fake text message that tries to pass itself off as an official communication from
UniCredit.
The message, which we quote on the side, alerts the unsuspecting recipient that a suspicious transaction has been detected on his
UniCredit mobile banking. It then invites him to follow the verification procedure, to confirm the suspicious transaction, through the proposed link:
"https[:]//is[.]gd/AppInfo_UniCredit"
At first we note that the message is misleading. The link given, in fact, could mislead the user who, driven by haste, is induced for security reasons to click on the link to verify what is reported and block his
UniCredit. account.
The purpose is clearly to lead the user to click on the link
"https[:]//is[.]gd/AppInfo_UniCredit".
As we can see from the side image, the web page to which we are redirected by the link in the text message, simulates rather well the official
UniCredit's wesite, mainly through the graphic devices used that can mislead the user.
The login page for account management, however, is hosted on an anomalous address/domain that is not referable to
UniCredit's official domain, which we report below:
herbs[-]trading[.]com
When we enter our login information in the
UniCredit account on this FORM, to log in to your checking account, this information will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
April 18, 2023 ==> Phishing Istituto Bancario (Bank)
«SUBJECT: <
Attiva il nuovo sistema di sicurezza - Sicurezza dei clienti> (
Activate the new security system - Client Security)
We find again this month the phishing campaign that - through an e-mail exploiting graphics stolen from, or similar to, those of a well-known national banking institution - tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to do what requested and falling into a trap based on social engineering techniques.
The message alerts the unsuspecting recipient that, as of
April 21, 2023, he will no longer be able to use his card unless he activates the new web security system, which provides greater security and reliability to transactions. It then invites him to activate the new security system, the operation is simple and takes only 3 minutes, through the following link:
Clicca qui (Click here)
We can see right away that the alert message comes from an e-mail address <support(at)customer-security-ipl1(dot)com> that is very suspicious and contains very general text, although the cybercriminal had the graphic foresight to include the well-known banking institution logo, that could mislead the user.
The purpose is to get the recipient to click on the link
Clicca qui (Click here) which, we would like to point out, links to a page that has nothing to do with the official site but has already been flagged as a DECEPTIVE page /SITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.
.
April 17, 2023 ==> Phishing Account Posta Elettronica (Email Account)
«SUBJECT:<
eMailBox Upgrade Notice>
We examine below another phishing attempt aimed to steal the victim's e-mail account credentials.
The message, in English, informs the recipient that the password of his mailbox, whose address is given, is expiring on
20/04/2023. It then invites him to confirm the password to continue using his account, through the following link:
Confirm Password Here
Examining the email we see that the message comes from an email address not referable to the server hosting the mailbox <
prashobkumar(at)essencoindia(dot)net>. This is definitely strange and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link
Confirm Password Here
will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:
https[:]//ipfs[.]io/ipfs/bafybeifo3beptk76wi6x7vwav4....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
April 11, 2023 ==> Phishing Account Posta Elettronica (Email Account)
«SUBJECT: <
**** Server - Password scaduta >
(**** Server - Password expired)
We examine below the phishing attempt that aims to steal the victim's e-mail account credentials.
The message, informs the recipient that his mailbox password, whose address is given, has expired, so if it is not confirmed within 24 hours he will log out and a new password will be generated.
He then invites the recipient to keep the same password by clicking on the following link:
Mantieni La Password Corrente (Keep Current Password)
Examining the email we realize that the message comes from an email address not referable to the server hosting the mailbox <
hakki(at)hasmetal(dot)com(dot)tr>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link
Mantieni La Password Corrente (Keep Current Password), will be redirected to an anomalous WEB page, which as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:
https[:]//ipfs[.]io/ipfs/QmYcw5bR5nEUfQxFiGhj6hhG93BXx....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
April 09, 2023 ==> Phishing BPER Banca (Bank)
«SUBJECT: <
Pagamenti il codice O-Key saranno disattivate>
(Payments the O-Key code will be disabled)
This new phishing attempt comes via an e-mail that - exploiting stolen, or similar graphics from
BPER Banca - tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to do as requested and fall into this trap based on social engineering techniques.
Let's look at some clues that may give us insight into the scam attempt in progress.
The message notifies the unsuspecting recipient that as of April 10, the O-Key code for payment confirmation will be deactivated, and all
BPER Banca customers will have to switch to PUSH notifications on the app or via SMS. In order to confirm payments, it is necessary to verify and update your mobile number from the settings in your Restricted Area; once the information is updated, the service will start automatically. You are then prompted to proceed through the following link:
https[:]//homebanking[.]bpergroup[.]net/auth/#/auth?bank=o-key05387
We see that the alert message comes from an email address <
noreply(at)rusflagcity(dot)ru> unrelated to the
BPER Banca's domain and contains very generic text with syntax errors, although the cybercriminal had the graphic foresight to include the
BPER Banca logo that might mislead an inexperienced user.
Anyone who unluckily clicks on the link
will be redirected to an anomalous WEB page which, as you can see from the side image, is graphically well laid out and could mislead an inexperienced user.
The page you are redirected to, for the entry your
BPER Banca Reserved Area credentials, is hosted on an anomalous address/domain, which we report below:
https[:]//homebanking[.]bpergroup[.]net//auth/#/auth?bank=o-key05387
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
07 Aprile 2023 ==> Phishing Account di posta
(Email Account)
The following are 2 phishing attempts aimed to steal the victim's mailbox credentials.
EXAMPLE 1
< IMPORTANT: Mailbox Termination Request on ****** >
EXAMPLE 2
«ACTION REQUIRED!!! : Message Failure Delivery Notice.»
In the 2 examples above, which are very similar, the message, in English, informs the recipient that his mail account password is expiring on 11/04/2023. To keep the password and have no interruption in services related to his mail account, it is necessary to confirm the password, through the link reported:
Keep Same Password Here
In the second case, on the other hand, it is reported that there are 14 undelivered messages because the mailbox is reaching the space limit "
Storage Full:95%"
. It then invites the recipient to retrieve the suspended e-mails; if he does not take any action within 24 hours, his box will be suspended. The following link is then given:
Release Emails
Examining both emails, we notice that the message comes from an email address not referable to any email provider <manjunath(at)tempco(dot)in>. This is definitely anomalous and should, at the very least, make us suspicious.
Very often these messages are poorly written emails that contain spelling errors or renewal requests for services that are not expiring, as they leverage urgency to get the user to proceed to click.
It's also important to examine the links or attachments that these messages contain, which usually redirect to a counterfeit website asking to enter your personal information (such as account username and password, or credit card number to make account renewals). If this data are entered, will be used by cyber criminals for criminal purposes.
05 - 14 Aprile 2023 ==> Phishing Aruba - Mancato Rinnovo (Non Renewal)
Below we report 2 phishing attempts that appear to come from a fake communication that tries to pass itself off, by stealing images, as a communication from
Aruba.
EXAMPLE 1
«Fw:[Aruba.it] Rinnovo automatico dei tuoi servizi» (Automatic renewal of your services)
Example 2
«Fw:Fattura non pagata #672622» (Unpaid invoice)
In the 2 examples above, which are very similar, the customer is notified that an error occurred during the automatic renewal of its services, linked to its domain hosted on
Aruba.
In the first example, you are required to verify the bank information you have entered and to complete the payment form manually. To proceed to verify the new payment information that will be entered "12.59EUR will be charged (the transaction will be reversed later)." The message then invites the user to proceed with the renewal. In the second example, on the other hand, it is indicated that the renewal has been rejected because the bank refuses to pay the service charge, which amounts to 6.11EUR.
In both cases, the purpose is to induce the user to click on the link in the email:
ACCEDETE AL VOSTRO MODULO DI PAGAMENTO (ACCESS YOUR PAYMENT FORM)
Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
To detect these phishing attempts, it is first of all necessary to examine the sender's e-mail address which, as we can see in the 2 reported cases (<administration(at)trimpianti(dot)com> and <info(at)vsarte(dot)tj>), do not come from the official domain of
Aruba.
Very often these messages are poorly written emails that contain spelling errors or renewal requests for not expiring services, since they use urgency or data security to obtain user's information.
It's also important to examine the links or attachments that these messages contain, which usually redirect to a counterfeit website asking to enter your personal information (such as account username and password, or credit card number to make account renewals). If this data are entered, will be used by cyber criminals for criminal purposes.
April 05 and 11, 2023==> Phishing MPS
«SUBJECT: <
Lapplicazione MPS, Nuovo aggiornamento >
(MPS Application, New Update)
We examine below the phishing attempt that comes from a fake e-mail from
MPS that aims to steal the victim's account credentials.
The message informs the recipient that there are new updates to the Terms of Service and that therefore, for security reasons, it is necessary to update his information. It then invites him to confirm his information so that his e-mail address or phone number will not be used without his consent. To proceed with the update, he will simply click on the following link:
Segui i passi (Follow the steps)
Examining the email we realize that the message comes from an email address not referable to the MPS domain <
ticketswix-team(at)notifications(dot)wix(dot)com>. This is definitely anomalous and should make us very suspicious.
Anyone who unluckily clicks on the link
Segui i passi (Follow the steps) will be redirected to an anomalous WEB page which, as you can see from the side image, is graphically well laid out and could mislead an inexperienced user.
The page to which you are redirected, to enter your MPS Reserved Area credentials, is hosted on an anomalous address/domain, which we report below:
https[:]//serato-patato[.]applianceservicesecrets[.]com/y87lsXiDk7...
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
April 03, 2023 ==> Phishing Aruba - Dominio scaduto (Domain expired)
«SUBJECT: <
Ultimo avviso: Dominio Scaduto , Rinnova prima della disattivazione>
(Last warning: Domain Expired , Renew before disabling)
Here we find again this month the phishing attempt that comes from a false communication from
Aruba.
The message informs the recipient that his domain hosted on
Aruba linked to his e-mail account has expired on
03/04/2023. It then tells him that if the domain is not renewed, all services associated with it, will be deactivated, including the mailboxes, so he will no longer be able to receive and send messages. It then invites the user to re-new the domain, completing the order and choosing the most convenient payment method, through the following link:
Riattiva Dominio (Reactivate Domain)
Clearly, the well-known web hosting, e-mail and domain registration services company, Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Examining the text of the message, we notice right away that the sender's e-mail address <
support(at)dadada(dot)it> is not from
Aruba's official domain.
Anyone who unluckily clicks on the link
Riattiva Dominio (Reactivate Domain) will be redirected to an anomalous WEB page, which has nothing to do with the official
Aruba's website, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
03 - 11 Aprile 2023 ==> SexTortion
The SexTortion-themed SCAM campaign persists. Below is another example of a campaign where, unlike the other examples given, in this case the victim's password is also included in the email text, to make the scam more credible.
The following is an extract from the text of the email on the side:
" I am a professional hacker and have successfully managed to hack your operating system. Currently I have gained full access to your account. In addition, I was secretly monitoring all your activities and watching you for several months. The thing is your computer was infected with a harmful spyware due to the fact that you had visited a website with porn content previously. Let me explain to you what that entails. Thanks to Trojan viruses, I can gain complete access to your computer or any other device that you own. It means that I can see absolutely everything in your screen and switch on the camera as well as microphoneat any point of time without your permission. In addition, I can also access and see your confidential information as well as your emails and chat messages. You may be wondering why your antivirus cannot detect my malicious software. Let me break it down for you: I am using harmful software that is driver-based, which refreshes its signatures on 4-hourly basis, hence your antivirus is unable to detect its presence. I have made a video compilation, which shows on the left side the scenes of you happily masturbating while on the right side it demonstrates the video you were watching at that moment. All I need is just to share this video to all email addresses and messenger contacts of people you are in communication with on your device or PC. Furthermore, I can also make public of all your emails amd chat history. I believe you would definitely want to avoid this from happening"
It is then required to deposit a sum of 890USD in Bitcoin to the wallet indicated for payment, within 50 hours of receiving the email.
The one shown above is one of the SexTortion campaigns that CRAM examined this month. Below are some of the wallets that have been referred to in the campaigns by cyber criminals, as of 04/18/2023:
- "18JXXXXXXXXXXXXXXXXXXXXXXz9D" results 1 transaction in the amount of1779,72 USD.
- "12aXXXXXXXXXXXXXXXXXXXXXXVvS" there are no reported transactions
In such cases we always urge you
- not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
- If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service.
02 and 04 April 2023 ==> Phishing DHL
«SUBJECT:
< IT:EU-GB zone "Central", UnPAID DUTY>
Below is a new attempt of phishing that we find again this month regarding the delivery of an alleged package, which hides behind a false communication apparently from
DHL's service.
The message warns the unsuspecting receiver that "
the item owned by you arrived at our premises. However, we found that the shipper did not pay the taxes for customs clearance. Therefore, the goods were retained by DHL's customs handling team". We see that the email is graphically well laid out; in fact, to make the message seem more trustworthy, the DHL logo was introduced. These messages are increasingly being used to perpetrate scams against consumers who increasingly use e-commerce for their purchases.
The message then invites the user to pay customs clearance fees, otherwise the item will be returned to the sender. To schedule the delivery, it is necessary to click on the following link:
Rilascio della spedizione (Shipment release)
The alert email comes from an email address that has nothing to do with DHL's domain <lequochuy(at)haiphong(dot)gov(dot)vn>.This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.
A little bit of attention and glance, can save a lot of hassle and headaches....
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
We invite you to check the following information on Phishing techniques for more details:
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in March 2023......
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in February 2023...
02/01/2023 15:28
- Phishing: the most common credential and/or data theft attempts in January 2023.....
02/12/2022 15:04
- Phishing: the most common credential and/or data theft attempts in December 2022.....
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022....
05/10/2022 11:55 - Phishing: the most common credential and/or data theft attempts in October 2022..
06/09/2022 15:58 - Phishing: the most common credential and/or data theft attempts in September2022....
04/08/2022 16:39 - Phishing: the most common credential and/or data theft attempts in August2022...
06/07/2022 12:39 - Phishing: the most common credential and/or data theft attempts in July2022...
06/06/2022 14:30 - Phishing: the most common credential and/or data theft attempts in June 2022...
02/05/2022 11:06 - Phishing: the most common credential and/or data theft attempts in May2022...
06/04/2022 16:51 - Phishing: the most common credential and/or data theft attempts in April2022...
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- iInteroperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
- proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
VirIT Mobile Security AntiMalware ITALIAN for ALL Android DevicesTM
VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings
You can upgrade to the PRO version by purchasing it directly from our website https://www.tgsoft.it/italy/ordine_step_1.asp
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.
How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
TG Soft's C.R.A.M. (Anti-Malware Research Center)
