PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in May 2025:

26/05/2025 => Mailbox
25/05/2025 => SumUp
23/05/2025 => Sondrio Popular Bank
20/05/2025 => BRT
20/05/2025 => State Police
16/05/2025 => Carta BCC
12/05/2025 => Aruba
11/05/2025 => Survey - Telepass / Decathlon
05/05/2025 => Netflix
04/05/2025 => SumUp
03/05/2025 => Survey - CONAD / UNIPOL
01/05/2025 => FedEx
01/05/2025 => TELEPASS

These emails aim to deceive unsuspecting victims into providing sensitive information, such as bank account details, credit card codes, or personal login credentials, with all the easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

26 May 2025 ==> Mailbox

SUBJECT: <E-mail Verification For Mailbox>
The short message, in English, informs the receiver that his/her size limit for Mailbox setup requires immediate response because incoming mails are being rejected. Since this is a minor technical issue the user just needs to revalidate before the countdown process is complete, through the following link.

VALIDATE NOW

Clearly the well-known company, is unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal the sensitive data of the unsuspecting recipient.

When we carefully analyze the message, we find some suspicious clues. First of all, the email address <info[at]cibl-digital[dot].com> is not traceable to the official domain of Mailbox. This fact is definitely anomalous and should, at the very least, make us suspicious. It is also abnormal that the user is asked to enter his or her account credentials via a link provided via email.

Anyone who unluckily clicks on the VALIDATE NOW
link, will be redirected to an anomalous web page which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegalpurposes.

We always urge you to pay attention to even the smallest details and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks.

25 May 2025 ==> SumUp

SUBJECT:: <[*Suspicious Email*] Check your email address>

Phishing attempts pretending to be communications from SumUp, the London-based digital payments company, continue.

The message requests the recipient to confirm his/her e-mail address to ensure the security and proper functioning of the SumUp account. To confirm, the user just needs to click on the following Link:

Confirm your email address now

The well-known company, is clearly unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal the sensitive data of the unsuspecting recipient.

If we analyze the message carefully,we see some suspicious clues. In fact, first of all, the email address <pjeanne[at]myt[dot].mu>. cannot be traced back to the official domain of SumUp. This fact is definitely anomalous and should, at the very least, make us suspicious. It also seems strange that the user is asked to enter his/her credentials to update his/her account via a link provided via email.

Anyone who unluckily clicks on the
Confirm your email address now  link, will be redirected to an anomalous web page which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

We always urge you to pay attention to even the smallest details and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks.

23 May 2025 ==> Sondrio Popular Bank

SUBJECT: <Information Update!>

We find again this month the phishing email that uses stolen graphics or similar to the graphics of a well-known banking institution to trick the victim into following instructions, and falling into a social engineering trap.

The message says: “to ensure an optimal level of security, we invite you to update your master data registered with our systems” and urges the unsuspecting recipient to update his/her data using the following link:

Update now

We can see right away that the alert message comes from an e-mail address <contact(at)advbooth(dot)com> that is highly suspicious and contains very general text, although the cybercriminal had the graphic foresight to include the well-known banking institution logo, that could mislead the user.
The purpose is to get the victim to log in to his or her banking app under the guise of updating master data.
Anyone who unluckily clicks on the Update now link, will be redirected to an anomalous WEB page, which is unrelated to the official website of the well-known Banking Institution.
From the image on the side we can see that the web page is graphically well done and simulates fairly well the official banking portal site.
Given these remarks, we urge you to pay close attention to every detail, and remember to check the url address of the form before entering sensitive data, such as in this case home banking credentials i.e. User Code and PIN.

The landing page in this case is hosted on the url address:

https[:]//************[.]zd[.]fr/online/login[.]php

which is unrelated to the official website of the well-known banking institution.

This deceptive PAGE /SITE is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.

20 May 2025 ==> BRT

SUBJECT: < Please confirm the delivery address BRT_120533>

We analyze below a new phishing attempt hiding behind a false communication from the well-known express courier BRT.

To conclude, we always urge you to be wary of any email that asks for confidential data, and avoid clicking on suspicious links that could lead to a counterfeit site difficult to distinguish from the original, putting your most valuable data in the hands of cyber crooks, who can use it at will.

20 May 2025 ==> State Police SCAM

«SUBJECT: <Subpoena, State Police Cybercrime Department🚨>

The following is an attempt at SCAM, which notifies a summons against the victim.

The message, that comes through a suspicious e-mail address <s1593221[at]edu[dot]moe[dot]om>, contains a .jpg attachment called <Ref-It>. The text is very concise and explains that the citation depends on the detection by the Police monitoring system of the <presence of pornographic sites with minors> in the recipient's internet traffic.
The graphically deceptive attachment we see below, concerns a false child pornography citation allegedly from "Mr Vittorio Pisani Secretary of State for Security."  The victim is supposedly under investigation for child pornography, paedophilia, exhibitionism and cybernetic pornography for visiting a child pornography site.

This is an attempted scam by cyber criminals, whose aim is to extort a sum of money, in this case in the form of a fine. In fact, the message reads as follows:

" Please make yourselves heard by sending us your justifications by e-
e-mail so that they can be examined and verified for sanctions; this within a strict deadline of 72 hours.."

If the victim does not respond within 72 hours, an immediate arrest warrant will be issued.
It is quite easy to realise that it is a false complaint, because first of all it is not personal, and secondly, the document contains a very suspicious stamp.

This is clearly an attempt at fraud with the aim to steal sensitive user data and extort money.

16 May 2025 ==> BCC Card

SUBJECT:  <Confirm your identity !>

We analyze below a new phishing attempt aimed at stealing the account login credentials of BCCCard, the well-known Cooperative Credit Bank.

The message informs the recipient that, for security reasons, the access to his/her account has been temporarily restricted.
Once his/her personal information is updated, it will be possible to gain full access to the account. Until then, the account will remain restricted. To proceed with the update the user just needs to click on the following link:

https[:]//www[.]cartabcc[.]it/Pagine/default[.]aspx

When we analyze the message we notice that it has an email address <support[at]dali[dot].ro> clearly not traceable to the official domain of BCCCard .This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the provided link, will be redirected to an anomalous web page which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for criminal purposes.

Based on these considerations, we recommend that you NEVER enter your credentials on sites whose origin you do not know, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.

12 May 2025 ==> Aruba - ICANN fee

SUBJECT: <[ARUBA Italy] ICANN Fee Invoice 2025 Attached>

Phishing attempts, pretending to be communications from the Aruba, brand continue.

The message informs the recipient that the invoice for payment of the annual ICANN (Internet Corporation for Assigned Names and Numbers) fee, for the registration of his/her domain hosted on Aruba, is due. It then shows that the invoice expires on 10 May 2025, and requests the payment of Euro 2.00. The following link is provided for the payment:

Pay Now

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is uninvolved in the mass sending of these e-mails, which are real scams whose objective remains, as always, to steal sensitive data of the unsuspecting recipient.

Anyone who unluckily clicks on the  Pay Now link, will be redirected to an anomalous web page which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

11 May 2025 ==> Phishing customer survey: Telepass / Decathlon

Customer survey-themed phishing campaigns, exploiting well-known brands, continue. The two cases below, involve large-scale retail and mobility services companies.
The brands exploited in these campaigns are clearly unrelated to the mass sending of these malicious e-mails, which are outright scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
In the two examples above we see that the emails clearly come from addresses <producequality[at]vip[dot]163[dot]com> and <it651023sd[at]fedracasa[dot]com>. unrelated to the official domain of  Decathlon or Telepass. This is definitely anomalous and should certainly make us suspicious.

If we click on the links in the email, we are redirected to a landing page that, although graphically deceptive (with misleading images and the brand's authentic logo), is hosted on an anomalous address/domain, which does not seem at all trustworthy or traceable to the exploited brand.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires today.
Surely if so many users were lucky why not try our luck?

When the survey is completed, the user is usually redirected to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links that may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

05 May 2025 ==>  NETFLIX

«SUBJECT: <Action Required: Verify Your Subscription Payment Information­­>

Let’s examine the following phishing attempt, that comes as a fake communication from NETFLIX, - the well-known streaming distribution platform of movies, TV series and other paid content - and that aims to steal the credit card details of the victim.

The message informs the user that his/her membership has expired, but as part of the loyalty programme he/she can extend the membership for 90 days FREE OF CHARGE! However, he/she needs to hurry as the offer expires soon. The following link is provided for membership extension:

Update data

When we examine the e-mail, we notice that the message comes from an e-mail address <evaa(at)fisioterapiaspedale(dot)it> that cannot be traced back to the official domain of NETFLIX. This is definitely anomalous and should, at the very least, raise our suspicions.

Anyone who unluckily clicks on the Update data link, will be redirected to an anomalous web page which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

04 May 2025 ==> SumUp

SUBJECT: <Check your email address>

We analyse below a new phishing attempt aimed at stealing  the account login credentials of SumUp, the London-based digital payments company.

The message asks the recipient to confirm his or her e-mail address linked to his or her SumUp account, via the link provided, to ensure the functionality and security of his or her account.

Confirm your email address

When we examine the message, we see that it comes from an email address <mediaworld7711[at]assistenzaanzianitoscana[dot].it> that is clearly not traceable to the official domain of SumUp. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the Confirm your email address
link, will be redirected to an anomalous WEB page which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.

03 May 2025 ==> Phishing customer survey: UNIPOL / CONAD

Customer survey-themed phishing campaigns, exploiting well-known brands, continue. The two cases below involve large-scale retail companies and insurance companies.
The brands exploited in these campaigns are clearly unrelated to the mass sending of these malicious e-mails, which are outright scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
In the two examples above we see that the emails clearly come from addresses <kolajaha[at]associazionegmail[dot]net> and <unipo7826[at]ediliziacincidda[dot]it>unrelated to the official domain of  CONAD or UNIPOL. This is definitely anomalous and should certainly make us suspicious.

If we click on the links in the email, we are redirected to a landing page that, although graphically deceptive (with misleading images and the brand's authentic logo), is  hosted on an anomalous address/domain, which does not seem at all trustworthy or traceable to the exploited brand.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires today.
Surely if so many users were lucky why not try our luck?

When the survey is completed, the user is usually redirected to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links that may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

01 May 2025 ==>  FedEx

SUBJECT: <FedEx: action required to complete package delivery 789###123>

Let's analyze a new phishing attempt that aims to steal the login credentials of a FedEx account, the international shipping company.

The message informs the recipient that the FedEx-paid shipment is awaiting instructions. It then invites him/her to complete the order to receive the shipment by clicking on the following link:

Display your order

When we analyze the message, we see that it comes from an email address <commerciale[at]nuovafloricoltura[dot].it> that is clearly not traceable to the official domain of FedEx. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the Display your order link, will be redirected to an anomalous WEB page which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.

01 May 2025 ==> TELEPASS

SUBJECT: <[ G-5097 ] - Your Telepass Emergency Kit is waiting for you!>

Below we analyze the attempted scam, hidden behind false communications by the well-known Italian company TELEPASS  working in the urban and suburban mobility services industry.
It is a graphically and textually well-crafted message that aims to make the user believe that he or she is facing a real unmissable opportunity. The lucky user has been selected as the winner of a fantastic prize, or at least that's what it looks like: a new "emergency car kit premium", which can be claimed by participating in a short survey...
Certainly this phishing is a real decoy for many inexperienced users.
Clearly the well-known company TELEPASS is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

We immediately see that the message comes from an email address <sentisi[at]dtihost[dot]com> clearly not traceable to the official domain of TELEPASS. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link in the emails here is what happens:
we are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of TELEPASS.) does not seem trustworthy at all.
In fact, the survey is hosted on the following anomalous address/domain:

https[:]//[NomeDominioFake*]....

which has no connection with TELEPASS.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey, by making him/her believe that only few people can win, and the offer expires in the day. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

When we click on START THE SURVEY link, we are taken to the next screens, where we are asked to answer 8 questions.


Here we go: in fact, all you need to do is to enter your shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered....

To give more credibility, many comments from customers who supposedly participated in the survey, have been reported. These are all confirming testimonials/feedback about the actual delivery of the winnings, ensuring that it is not really a scam.....
Surely if so many users were lucky why not try your luck?
Then, when we click on Continue link, we are directed to a further page to enter our shipping address and pay shipping costs.
As we can see from the image on the side, the cybercriminals try to trick the victim into entering his/her sensitive data to ship the prize. Most likely, credit card information will also be requested later for the payment of shipping costs of Euro 1,98. The page where we are redirected, to enter our personal data, is hosted on a new abnormal address/domain, which we report below:

https[:]//[FakeDomainName*][.]com

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links that may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are placed in the hands of cyber crooks who can use them at will.