PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in  May 2022:

24/05/2022 => Aruba
18/05/2022 => DHL
17/05/2022 => cPanel
12/05/2022 => Aruba - Un nuovo file condiviso (New shared file)
10/05/2022 => Aruba - Caratteristiche di sicurezza dell'accounts (Account security features)
01/05/2022 => Smishing GreenPass

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassle and headache...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

May 24, 2022 ==> Phishing Aruba

«SUBJECT: <Ci sono (2) messaggi non consegnati, per favore risolvi!> (There are (2) undelivered messages, please fix!)

Here is a phishing attempt, coming as a false communication from Aruba, that aimes to steal the victim's inbox

The message warns the user about 2 pending messages that cannot be delivered to the mailbox.
A .pdf document is sent as an attachment that seems to contain the undelivered messages. It then prompts the user to open the attached file:

Guarda i messaggi.pdf (Watch the messages.pdf)

Examining the email, we notice right away that the sender's e-mail address <Michael(dot)thiemann(at)mytng(dot)de>, is not from Aruba's official domain. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who clicks on the Guarda i messaggi.pdf attachment (Watch the messages.pdf),  will be given instructions to retrive the outstanding messages.
 
From the side image you are requested to retrieve the pending message in a timely manner, or to allow 72 hours to restore the messages, through the following link:

Clicca qui per recuperare il messaggio  (Click here to retrieve the message)

If you enter your data on the deceptive PAGE / WEBSITE that has already been reported, to log in, this data will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.

May 18, 2022 ==> Phishing DHL

«SUBJECT: <Your package CH497586134 is waiting for delivery.>

We examine below a phishing attack that uses a fake communication from the DHL company .

In this case the email is in English and invites the recipient to confirm the payment (CHF 1.99,) to complete the delivery of his package CH497586134. The online confirmation must be done within the next 14 days, before the deadline.
He is then requested to click on the following link to pay for the delivery:

CH497586134

May 17, 2022 ==> Phishing cPanel

«SUBJECT: <You have (1) new document file shared with you via cPanel iCloud.>

Below we examine a new phishing attempt that comes as a false communication from cPanel (graphical control panel to manage and administer websites and web hosting).

The message, in English, notifies the user that a document has been shared via cPanel iCloud sharepoint. It, then, requests the user to click on the attached document to view the file:

View Shared File

Clearly the website management, administration and web hosting company cPanel,  is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <heinz(dot)schulze(at)mytng(dot)de>, is not from cPanel's official domain.

Anyone who clicks on the View Shared File attachment will be requested to log into his cPanel account to view the attached file.

May 12, 2022 ==> Phishing Account di Posta elettronica (Email Account)

«SUBJECT: <Un nuovo file di documento condiviso con te tramite Aruba iCloud> (A new document file shared with you via Aruba iCloud)

Here another phishing attempt, which comes as a false communication from Aruba, aimed to steal the victim's inbox.

The message notifies the user that a document has been shared via Aruba iCloud SharePoint.
It then invites the victim to click on the attached document to view the file, asking to open the attached file:

Visualizza file condiviso.pdf (View shared file.pdf)

Examining the email, we observe that the message comes from an email address not traceable to any email provider <heinz(dot)schulze(at)mytng(dot)de> and clearly it is not from the recipient's email server. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link Visualizza file condiviso.pdf (View shared file.pdf) will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.

May 10, 2022 ==> Phishing Account di Posta elettronica (Email Account)

«OSUBJECT:<Caratteristiche di sicurezza dell'accounts> (Account security features)

This month again we find the following phishing attempt, aimed to steal the mailbox of the victim.

The message notifies the user an error in the web service and that, therefore, some incoming emails have been put on hold by the Aruba server system. It then invites the user to reset the account to avoid permanent restrictions, through the following link:

Clicca per convalidare   (Click to validate)

Examining the emai, we see that the message comes from an email address not traceable to any email provider <heinz(dot)schulze(at)mytng(dot)de> and clearly it is not from the recipient's email server. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link Clicca per convalidare (Click to validate). will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.

01 May ==> Smishing GreenPass

May opens with a new Green Pass themed smishing attempt.

The scam comes via a text message, seemingly from the Ministry of Health, and informs the user that his Covid-19 certification has been revoked.
Textually, the message states the following:
''La sua Certificazione Covid-19 è stata revocata.
Visiti www[.]certrevocata19[.]byethost5[.]com per riattivarla subito.''
(Your Covid-19 Certification has been revoked.
Visit www[.]certrevocata19[.]byethost5[.]com to reactivate it immediately)

The counterfeit sms uses as a bait the topical Green Pass, to seize the recipient's personal data. In fact  the victim, worried about the sms received, could click on the reported link to reactivate, as soon as possible, his Covid-19 Certification.
Obviouslt's intuitive that the Green Pass revocation can't be done by simple ''manual'' procedure (entering our personal data on an authentication form), since it is issued following a positive molecular swab, and is cancelled following the first rapid antigenic or negative molecular swab, within 24 hours of the outcome.
Moreover, the reported link

www[.]certrevocata19[.]byethost5[.]com

is definitely suspect and not traceable to the Ministry of Health at all.
 
In any case, clicking on the proposed link, we are redirected to an application form, as shown in the side images.
At first, the form requires the user to enter first and last name as identifying data. Despite the presence of the Ministry of Health logo, the web page is hosted on an entirely different domain.
To complete the reactivation request, however, it is requested to attach, in addition to the victim's ID, even photo of his face ... a definitely  dubious request.
To conclude, we would like to underline that no public and institutional authority requests personal data through texting or emailing.
We also point out that these phishing/smishing campaigns, since they are real scams aimed at stealing your sensitive data, have already been promptly reported by the relevant authorities on their sites and  official social channels, which we invite you to consult.