05/10/2022
11:55

Phishing: the most common credential and/or data theft attempts in OCTOBER 2022...


Find out the most common phishing attempts are that you might encounter and, with a little bit of a glance, also avoid...

PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in October 2022:

27/10/2022 => Aruba
20/10/2022 => Account di posta elettronica (Email Account)
19/10/2022 => Aruba - Dominio sospeso (Suspended domain)
11/10/2022 => Aruba - Rinnova il dominio (Renew the domain)
08/10/2022 => BRT Spedizione in consegna (Shipping on delivery)
06/10/2022 => Nexi
05/10/2022 => Aruba - pagamento fallito (failed payment)
04/10/2022 => Smishing CLS consegna del pacco (package delivery)
01/10/2022 => BRT Spedizione in consegna (Shipping on delivery)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences .

October 27, 2022 ==> Phishing Aruba

«SUBJECT: < Aruba.it : Notifica nuovo messaggio ! > (Aruba.it : New message notification!)

Below we examine a phishing attempt that comes as a fake communication from Aruba.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che comunica che il dominio è in scadenza, ma in realtà è una TRUFFA!
The message informs the recipient that his domain, hosted on Aruba, will expire on 10/28/2022. It then invites the user to renew the domain through the following link:

Clicca qui Click here

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

If we examine the text of the message, we notice right away that the sender's e-mail address <devdev(at)deals(dot)priceline(dot)com> is not from Aruba's official domain.

Anyone who unluckily clicks on the link  Clicca qui  (Click here), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.


October 20, 2022 ==> Phishing Account di posta (Email Account)

«SUBJECT:< RE: Audit Report >

We examine below the phishing attempt aimed at stealing the mailbox of the victim.

Clicca per ingrandire l'immagine della falsa e-mail dell'amministratore dell'account di posta elettronica, che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso all'account.
The message informs the recipient that 3 files are available in the folder named "CamScanner InterDoc2022.08.xlsx" . It then invites him to download the files, via the following link:

Get your file

Examining the email, we observe that the message comes from an email address not  traceable to any email provider <secured_file21597(at)****(dot)it>, but seems to come from the recipient's domain. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link  Get your file, will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

October 19, 2022 ==> Phishing Aruba - Rinnova il dominio (Renew the domain)

«SUBJECT: < Il dominio è scaduto ed è stato sospeso! > (The domain has expired and has been suspended!)

Here is another phishing attempt, that comes as a false communication from Aruba.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che comunica che il dominio è in scadenza, ma in realtà è una TRUFFA!
The message informs the recipient that his domain, hosted on Aruba, will be suspended on 19/10/2022, due to unpaid invoices. If the payment is not completed by that date, the domain and all associated services - including mailboxes - will be deactivated and subsequently deleted. The message, then, urges the user to renew the domain to keep it exclusive and prevent it from being used by others.The renewal procedure is available through the following link:

RINNOVA CON UN CLIC (RENEW WITH A CLICK)


Clearly, the well-known web hosting, e-mail and domain registration services company, Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <support(at)arilicbakerypeschieradelgarda(dot)it>, is not from Aruba's official domain.
 
Anyone who unluckily clicks on the link RINNOVA CON UN CLIC  (RENEW WITH A CLICK), will be redirected to an anomalous WEB page which has nothing to do with the official site of Aruba,  but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.


October 11, 2022 ==> Phishing Aruba - Rinnova il dominio (Renew the domain)

«SUBJECT: < Disattivazione casella e-mail per scadenza dominio. > (Mailbox deactivation due to domain expiration)

Here is another phishing attempt that comes as a false communication from Aruba.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che comunica che il dominio è in scadenza, ma in realtà è una TRUFFA!
The message informs the recipient that their domain hosted on Aruba will expire on 11/10/2022.  If the domain is not renewed by that date, it will be deactivated togheter with all associated services, including mailboxes. It then invites the user to renew the domain through the following link:

RINNOVA IL DOMINIO (Renew the domain)

Clearly, the well-known web hosting, e-mail and domain registration services company, Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <contact(at)bestmailoffers(dot)us>, is not from Aruba's official domain.

Clicca per ingrandire l'immagine del falso sito contraffatto che chiaramente non ha nulla a che vedere con Aruba...
Anyone who unluckily clicks on the link RINNOVA CON UN CLIC  (RENEW WITH A CLICK), will be redirected to an anomalous WEB page, which has nothing to do with the official site of  Aruba,  but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

https[:]//tinyurl[.]com/app/nospam/tinyurl[.]com/2022pag/terminated

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks, with all the associated easily imaginable risks .

October 08, 2022==> Phishing BRT: Spedizione in consegna (Shipping on delivery)

«SUBJECT: < BRT - Avviso spedizione in consegna 97800340> (BRT - Shipment Notice on Delivery 97800340)

Here's another phishing attempt this month, hiding behind a fake communication from BRT's service, concerning the delivery of an alleged package.

Clicca per ingrandire l'immagine del falsa e-mail di BRT che informa che la spedizione è in attesa di consegna...in realtà si tratta di una TRUFFA!
The message notifies the unsuspecting recipient that his package could not be delivered, due to additional unpaid customs clearance fees. An alleged delivery code <97800340> is also reported. We see that the email is graphically well laid out. In fact, to make the message seem more trustworthy, the BRT logo has been introduced. These messages are increasingly being used to scam consumers, who more and more use e-commerce for their purchases.
The message then invites the user to pay the customs clearance fee of Euro 1.99, to reschedule the delivery, by clicking on the following link

Invia il mio pacco (Send my package)

The alert email comes from an email address <support(at)app(dot)fleetweb(dot)com> ,that is clearly not from BRT's domain.

Clicca per ingrandire l'immagine del falso sito contraffatto che chiaramente non ha nulla a che vedere con BRT...
Anyone who clicks on the link  will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the BRT's site.
The page to which you are redirected, is hosted on an anomalous address/domain, which we report below:

https[:]//2m[.]ma/ar

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks, with all the associated easily imaginable risks .

October 06, 2022==> Phishing Nexi

SUBJECT: <Accesso non autorizzato Ref#007-773761639> (Unauthorized access Ref#007-773761639)

This new phishing attempt claims to be a communication from Nexi.

Clicca per ingrandire l'immagine della falsa e-mail di NEXI che cerca di rubare i codici della carta di credito dell'ignaro ricevente.
The message notifies the recipient that a transaction - suspected to be unauthorized - has been suspended for security reasons. He is then informed that, if he did not authorize the transaction, he can delete it by logging into their Nexi's account, via the following link:

Clicca qui per proseguire > (Click here to continue)

At first we notice that the text of the email is very generic and there is no identifying information about the client or the linked account. The alert email comes from an email address <noreply(at)albertogomezxsd(dot)com>, that is clearly not from the official Nexi's domain.

Anyone who unluckily clicks on the link Clicca qui per proseguire >  (Click here to continue), will be redirected to an anomalous WEB page, which has nothing to do with Nexi's official site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.


October 05, 2022 ==> Phishing Aruba - Pagamento fallito (failed payment)

«SUBJECT: < Stаtо: pagаmentо fаllito❗ > (Status: failed payment!)

Below we analyze a phishing attempt that comes as a fake communication from Aruba.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che comunica che il dominio è in scadenza, ma in realtà è una TRUFFA!
The message informs the recipient that their domain hosted on Aruba, will expire on 7/10/2022.  If the domain is not renewed by that date, it will be deactivated togheter with all associated services, including mailboxes. It then invites the user to renew the domain through the following link:

Clicca qui (Click here)

Clearly, the well-known web hosting, e-mail and domain registration services company, Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <dev(at)deals(dot)priceline(dot)com>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link Clicca qui (Click here) will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.



October 04, 2022 ==> Smishing CLS: La tua consegna è stata rifiutata (Your delivery has been refused)

Here we find again the text message scam attempt, hidden behind a false communication from the CLS service, concerning the delivery of an alleged package.

Clicca per ingrandire l'immagine del falsa e-mail di CLS che informa che la spedizione è stata rifiutata...in realtà si tratta di una TRUFFA!
The message informs the unsuspecting recipient, that they were unable to deliver his package, with an alleged delivery code <CLS910029334> . It then explain that a phone contact was made - showing the recipient's phone number-  but to no avail.
The message, then, invites the user to reconfirm the delivery by clicking on the following link:

http://ijozeh[.]com/xH9FnOS



Clicca per ingrandire l'immagine del falso sito di CLS dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!
Anyone who clicks on the link, will be redirected to a web page, which graphically mimic the CLS page and reports:
"You have (1) package waiting for delivery. Use your code to track and receive it"

The tracking code to use is then shown. However we observe, in the side image, that the url address on the broswer bar, isn't the authentic CLS domain:

trackit
[.]trackmyparcel[.]top
 
Moving on, after clicking on ''Track your item, we are presented with a new screen.

From the image below, we are notified that the delivery of the package is pending due to non-payment of shipping costs of Euro 2.00.
Clicca per ingrandire l'immagine del falso sito di CLS dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!
The next screen asks us how we prefer the package to be delivered: "I want it delivered to me" or
"I will pick it up myself."
Clicca per ingrandire l'immagine del falso sito di CLS dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!

Clicca per ingrandire l'immagine del falso sito di CLS dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!
This is followed by 2 more questions like the previous one, asking where we prefer the package to be delivered: "At home" or "At work" and when we prefer it to be delivered: "Weekdays" or "Weekends."
Once we have selected our preferences, we finally arrive at a new screen, confirming that the package has been sent, with estimated delivery in 2 days....Then, when you click on ''Inserisci le informazioni per la consegna(Enter your delivery information), you are redirected to an additional page to enter your contact information and pay the shipping charge of €2.00.  

Clicca per ingrandire l'immagine del falso sito di CLS che richiede l'inserimento dei propri dati personali...
From the side image, we observe that our personal information is actually being requested, to send the package and then for the payment. As you can see, the login page is hosted on an anomalous address/domain, different from the previous one and that clearly has nothing to do with CLS...

campaigns[.]eoffers[.]club

The purpose of this elaborate fake email, is to induce the user to enter his personal information.

To conclude, we always urge you to be wary of any email asking for confidential data, and avoid clicking on suspicious links which could lead to a counterfeit site, difficult to distinguish from the original, thus putting your most valuable data in the hands of cyber crooks for their use and profit.


October 01, 2022 ==> Phishing BRT: Spedizione in consegna (Shipping on delivery)

«SUBJECT: < BRT - Avviso spedizione in consegna 486241130> (BRT - Delivery Shipment Notice 486241130)

Here we find again this month the phishing attempt, hiding behind a false communication  from the BRT service, concerning the delivery of an alleged package.

Clicca per ingrandire l'immagine del falsa e-mail di BRT che informa che la spedizione è in attesa di consegna...in realtà si tratta di una TRUFFA!
The message notifies the unsuspecting recipient, that his package could not be delivered, due to additional unpaid customs clearance fees. An alleged delivery code <486241130> is also reported. We see that the email is graphically well laid out. In fact, to make the message seem more trustworthy, the BRT logo has been introduced. These messages are increasingly being used to scam consumers who, more and more, use e-commerce for their purchases.
The message then invites the user to pay the customs clearance fee of Euro 1.99, to reschedule the delivery, by clicking on the following link:

Invia il mio pacco (Send my package)

The alert email comes from an email address <support(at)ntgsa(dot)co(dot)za> that is clearly not from BRT's domain. Anyone who unluckily clicks on the link,  will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes..



A little bit of attention and glance, can save a lot of hassle and headaches....

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on Phishing techniques for more details:

06/09/2022 15:58 - Phishing: the most common credential theft attempts in September 2022..
04/08/2022 16:39 - Phishing: the most common credential theft attempts in August 2022...
06/07/2022 12:39 - Phishing: the most common credential theft attempts in July 2022..
06/06/2022 14:30 - Phishing: the most common credential theft attempts in June 2022..
02/05/2022 11:06 - 
Phishing: the most common credential theft attempts in May 2022.....
06/04/2022 16:51 -
Phishing: the most common credential theft attempts in April 2022...
08/03/2022 17:08 - 
Phishing: the most common credential theft attempts in March 2022
03/02/2022 16:25 - 
Phishing: the most common credential theft attempts in February 2022...
04/01/2022 09:13 - Phishing: the most common credential theft attempts in January 2022....
03/12/2021 15:57 - 
Phishing: the most common credential theft attempts in December 2021.
04/11/2021 09:33 - 
Phishing: the most common credential theft attempts in November 2021....
07/10/2021 14:38 - 
Phishing: the most common credential theft attempts in October 2021....

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently.

Vir.IT eXplorer Lite
has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
  • it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center  for further analysis to update Vir.It eXplorer PRO
  • through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
  • proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website
 

VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices

VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

VirIT Mobile Security l'Antimalware di TG Soft per Android(TM)

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings

You can upgrade to the PRO version by purchasing it directly from our website https://www.tgsoft.it/italy/ordine_step_1.asp

 

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible
.



How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
  1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware
.



TG Soft's C.R.A.M. (Anti-Malware Research Center)

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: