On 22 Novembre 2019, the Italian State Police arrested the cyber-criminal responsible for the “Orziveccho” attack, that was renamed by CNAIPIC “PEOPLE1”.
The “Orziveccho” operation was identified by TG Soft between Saturday 4th and Tuesday 7th March 2017, when was registered more spear-phishing attacks on registry services of many italian municipalities.
TG Soft chose “ORZIVECCHO” as name of this operation, because it was a part of the domain name from which the malware was downloaded: www.scuolaelementarediorziveccho.191.it, it was already used for criminal activities since 2013.
This domain would had to be assigned to Orzivecchi's municipal elementary school, but for a typing error it was registered as “orziveccho” instead of “orzivecchi” and for this reason it was dropped, but instead used by the cyber criminal for its own purposes.
Orziveccho used a remote assistance program, through which it installed a keylogger to steal the municipal employees' access credentials to enter in public administration' portals. Most of the victims have been small municipalities, but in addition to these we can also include the CAF patronages, databases of the Revenue Agency, INPS, INAIL, ACI and InfoCamere.
The cyber-criminal has used various spear phishing campaigns to target and spy Italian municipalities since 2013. TG Soft's Anti-Malware Research Centre has estimated that no less than 10% of Italian Municipalities have been targeted by this Malware-Spy.
Since 2013, the cyber-criminal of "Orziveccho" started using commercial keyloggers for his espionage operations, until he reaches real cyber security experts for implementation of RAT and keyloggers.
The purpose of “Orziveccho” was to steal personal data, tax and social security positions of unsuspecting Italian private customers and companies, in order to be resold to investigation agencies through the portal "People1.info" located in Russia.
TG Soft has declassified the confidential information on the Orziveccho operation (aka PEOPLE1).
Download full report operation PEOPLE1-Orziveccho in PDF format:
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated. It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”
Vir.IT eXplorer PRO is certified by the biggest international organisation:
This website uses cookies We use cookies to customize language, content and provide technical functionality. They are NOT used for profiling or reselling to third parties. There are pages where "Google reCaptcha" will be present, even in this case, our purpose is only to be able to ascertain the presence of human interaction and not automatic Bots.
The necessary cookies help make the website usable by enabling basic functions such as page navigation. The website cannot function properly without these cookies.
ASP.NET_SessionId [x2]
Preserve the user's status on the different pages of the site.
Expiration: Session
Type: HTTP
cookie_accettati [x1]
Stores the user's cookie consent status for the current domain
Expiration: 1 year/s
Type: HTTP
lang [x1]
Stores the selected language
Expiration: 1 year/s
Type: HTTP
ASPSESSIONIDxxxx
Technical cookie for the management of interactions with the user
Cookie necessary to make certain specific contents usable such as: access to protected areas of the site, sending requests or subscribing to newsletters. The specific features of these sections will not be usable without this cookie.
_GRECAPTCHA [x1]
Necessary to verify human interaction. Used to send quotes, access restricted areas and all those points where security is a fundamental component.
Expiration: 6 month/s
Type: HTTP
cookie_google [x1]
Flag for acceptance of Google reCAPTCHA cookies
Expiration: 6 month/s
Type: HTTP
Accept the reCAPTCHA Terms of Service: By accessing or using the reCAPTCHA APIs, you agree to the Google APIs Terms of Use, Goodle Terms of Use, and to the Additional Terms below. Please read and understand all applicable terms and police before accessing the APIs.
reCAPTCHA Terms of Service: You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data and the results of integrity checks, and sending that data to Google for analysis. Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if you use the APIs that it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google.
Data collected by reCAPTCHA:
The reCAPTCHA algorithm will check for the presence of a Google cookie (usually _ga)
If not present, a specific reCAPTCHA cookie will be added to the browser of the user and will be captured - pixel by pixel - a complete snapshot image of the user's browser window at that time.
Some of the browser and user information currently collected includes:
All cookies placed by Google in the last 6 months
How many mouse clicks did you make on that screen (or touch if on a touch device)
The CSS information for that page
The exact date
The language in which the browser is set
Any plug-in installed in the browser
All Javascript objects
Cookies are small text files that can be used by websites to make the user experience more efficient.
We can store cookies on your device if they are strictly necessary for the operation of this site. For all other cookies we need your permission.
This site uses only technical cookies with the exception of cookies necessary for Google reCaptcha.
We invite you to consult Google policy regarding this.
You can change or withdraw your consent at any time using the (green or red) cookie icon present on the footer of each page on our website.