06/04/2022
16:51

Phishing: the most common credential and/or data theft attempts in APRIL 2022...


Find out the most common phishing attempts are that you might encounter and, with a little bit of a glance, also avoid

PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in April 2022:

25/04/2022 => Account di posta elettronica (Email Account)
19/04/2022 => Aruba - Avviso di sospensione dell'account (Account suspension notice)
19/04/2022 => Account Posta (Email Account)
13/04/2022 => Aruba - Avviso di sospensione dell'account (Account suspension notice)
06/04/2022 => Account di posta elettronica (Email Account)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible, easily imaginable, consequences.

April 25, 2022 ==> Phishing Account di Posta elettronica (Email Account)

«
SUBJECT: < avvertimento: la tua password scade  101#-291 .>  (warning: your password expires 101#-291)

This month again we find the following phishing attempt, aimed to steal the email inbox of the victim.

Clicca per ingrandire l'immagine della falsa e-mail dell'amministratore dell'account di posta elettronica, che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso all'account.
The message notifies the user that his mailbox password will expire soon. It then prompts the user to confirm his password to continue using it, via the following link:

CONTINUA A UTLIZZARE LA PASSWORD ATTUALE  (KEEP USING YOUR CURRENT PASSWORD )

Examining the email, we notice that the message comes from an email address not  traceable to any email provider <info(at)boa(dot)org>, and it clearly does not come from the recipient's domain. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link  CONTINUA A UTLIZZARE LA PASSWORD ATTUALE  (KEEP USING YOUR CURRENT PASSWORD ), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes...

April 19, 2022 ==> Phishing Aruba "Avviso di sospensione dell'account" (Account suspension notice)

«SUBJECT: < Avviso di sospensione dell'account > (Account suspension notice)

Here we find another phishing attempt, coming as a false communication from Aruba.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che informa di un errore nel servizio web che può portare a una sospensione dell'account... ma che in realtà è una TRUFFA!
The message informs the recipient that an error has been detected in the Aruba web service. Some of the incoming emails were put on hold by the Aruba server system.

The user is then urged to immediately reset the Aruba account, to avoid permanent restrictions and view incoming emails, via the following link:

Clicca qui per convalidare (Click here to validate)


Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <infos(at)maildc1519218346(dot)mihandns(dot)com>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link Clicca qui per convalidare (Click to validate). will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
 

19 April 2022 ==> Phishing Webmail

«SUBJECT: <File recommendation Statement>

This phishing attempt aims to steal the access password to the mailbox.

Clicca per ingrandire l'immagine della falsa e-mail dell'amministratore dell'account di posta elettronica, che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso all'account.
The message informs the user that a file is available for sharing, and the file name <**** recommendation Statement.pdf> is also given. To retrieve the file, it is necessary to click on the following link:

Open

Examining the email we notice that the message, marked by the concise and essential textual layout, comes from a misleading email address that mimics the Dropbox  (file hosting service, cloud storage, automatic file synchronization, personal cloud and client software) address<noreply(at)dropbox(dot)com>.

Anyone who unluckily clicks on the link Open Will be redirected to a WEB page that has nothing to do with the Dropbox's website but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

13 April 2022 ==> Phishing Aruba "Avviso di sospensione dell'account"

(Account suspension notice)

«SUBJECT: < Avviso di sospensione dell'account > (Account suspension notice)

Here we find another phishing attempt coming as a false communication from Aruba.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che informa di un errore nel servizio web che può portare a una sospensione dell'account... ma che in realtà è una TRUFFA!
The message informs the recipient that an error has been detected in the Aruba web service. Some of the incoming emails were put on hold by the Aruba server system..

The user is then urged to immediately reset the Aruba account to avoid permanent restrictions and view incoming emails, via the following link:

Clicca qui per convalidare (Click here to validate)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient..

Examining the text of the message, we notice right away that the sender's e-mail address <info(at)maildc1519219286(dot)mihandns(dot)com>, is not from Aruba's official domain. 

Anyone who unluckily clicks on the link Clicca qui per convalidare (Click here to validate)
will be redirected to a WEB page that has nothing to do with the mailbox server.
 
Clicca per ingrandire l'immagine del falso sito web di Aruba, che simula la login di accesso all'account di posta elettronica, per rubare le credenziali di accesso..
From the side image we notice that you are prompted to enter your login and password to access your e-mail account.
At a glance, however, we notice that the login page is hosted on an anomalous address/domain...

https[:]//webmail-aruba080authnhgtsfvabsnakisuhaystagfsrwtagfsvbnakjiuysg...
 
If you enter your data on this FORM to perform verification/confirmation of your data, the data will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks


06 April 2022 ==> Phishing Account di Posta elettronica (Email Account)

«SUBJECT:<AVVISO: lo spazio di archiviazione delle cassette postali ha raggiunto il limite critico...> (NOTICE: Mailbox storage space has reached critical limit.)

Here is another phishing attempt aimed to steal the mailbox of the victim.

Clicca per ingrandire l'immagine della falsa e-mail dell'amministratore dell'account di posta elettronica, che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso all'account.
The message notifies the user that the mail storage space is almost full, then invites him to increase the storage space by 15GB.
It then invites him to click on the following link to receive an additional 15GB:

ATTIVA  (ACTIVATE)

Examining the email, we notice that the message comes from an email address not appear traceable to any email provider <scanner(at)vodafonedsl(dot)it>, and it clearly does not come from the recipient's domain. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link ATTIVA (ACTIVATE), will be redirected to an anomalous WEB page. From the image below we notice that an authentication mask appears asking you to enter the password of the mailbox.

Clicca per ingrandire l'immagine del falso sito dell'account di posta elettronica, che cerca di rubare le credenziali di accesso all'account..
The next screen is very bare and with no information, especially about the e-mail provider.
At a glance we notice especially that the login page has an anomalous address/domain....
In the image we can see that the page hosting the authentication form is:

https[:]//rwlogisticalcorp[.]com/Web[-]do[-]Valibator...
 
If you enter your data on this FORM to perform verification/confirmation of your data, the data will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks.

A little bit of attention and glance, can save a lot of hassle and headaches..

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on Phishing techniques for more details:

08/03/2022 17:08 - Phishing: the most common credential theft attempts in March 2022
03/02/2022 16:25 -
Phishing: the most common credential theft attempts in February 2022..
04/01/2022 09:13 - Phishing: the most common credential theft attempts in January 2022...
03/12/2021 15:57 - 
Phishing: the most common credential theft attempts in December 2021.
04/11/2021 09:33 - 
Phishing: the most common credential theft attempts in November 2021...
07/10/2021 14:38 -
Phishing: the most common credential theft attempts in October 2021..
10/09/2021 15:58 - Phishing: the most common credential theft attempts in September 2021.
05/08/2021 18:09 -
Phishing: the most common credential theft attempts in August 2021..
01/07/2021 15:58 - Phishing: the most common credential theft attempts in July 2021 ..
07/06/2021 16:44 - 
Phishing: the most common credential theft attempts in June 2021.
12/05/2021 12:38 -
Phishing: the most common credential theft attempts in May 2021.
06/04/2021 10:55 - Phishing: the most common credential theft attempts in April 2021.

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS

Vir.IT eXplorer Lite
has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files
  • it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
  • through the  Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
  • proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
 

VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices

VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

VirIT Mobile Security l'Antimalware di TG Soft per Android(TM)TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings.

You can upgrade to the PRO version by purchasing it directly from our website: https://www.tgsoft.it/italy/ordine_step_1.asp

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible..

Special thanks to Mr. Marco Mira for his active cooperation in sending us material for analysis.


How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
  1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify"
  2. Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware..


TG Soft's C.R.A.M. (Anti-Malware Research Center)

 

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: