02/05/2022
11:06

Phishing: the most common credential and/or data theft attempts in May 2022...


Find out the most common phishing attempts are that you might encounter and, with a little bit of a glance, also avoid

PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in  May 2022:

24/05/2022 => Aruba
18/05/2022 => DHL
17/05/2022 => cPanel
12/05/2022 => Aruba - Un nuovo file condiviso (New shared file)
10/05/2022 => Aruba - Caratteristiche di sicurezza dell'accounts (Account security features)
01/05/2022 => Smishing GreenPass

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

May 24, 2022 ==> Phishing Aruba

«
SUBJECT: <Ci sono (2) messaggi non consegnati, per favore risolvi!> (There are (2) undelivered messages, please fix!)

Here is a phishing attempt, coming as a false communication from Aruba, that aimes to steal the victim's inbox
Clicca per ingrandire l'immagine della falsa e-mail dell'amministratore dell'account di posta elettronica, che cerca di indurre il ricevente a cliccare sull'allegato per rubare le credenziali di accesso all'account.

The message warns the user about 2 pending messages that cannot be delivered to the mailbox.
A .pdf document is sent as an attachment that seems to contain the undelivered messages. It then prompts the user to open the attached file:

Guarda i messaggi.pdf (Watch the messages.pdf)

Examining the email, we notice right away that the sender's e-mail address <Michael(dot)thiemann(at)mytng(dot)de>, is not from Aruba's official domain. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who clicks on the Guarda i messaggi.pdf attachment (Watch the messages.pdf),  will be given instructions to retrive the outstanding messages.
 
Clicca per ingrandire l'immagine del falso sito web di Aruba, che simula la login di accesso all'account di posta elettronica, per rubare le credenziali di accesso..
From the side image you are requested to retrieve the pending message in a timely manner, or to allow 72 hours to restore the messages, through the following link:

Clicca qui per recuperare il messaggio  (Click here to retrieve the message)

If you enter your data on the deceptive PAGE / WEBSITE that has already been reported, to log in, this data will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.


May 18, 2022 ==> Phishing DHL

«SUBJECT: <Your package CH497586134 is waiting for delivery.>

Clicca per ingrandire l'immagine della falsa e-mail di DHL, che cerca di indurre il ricevente a cliccare sui link per rubare la password della sua casella di posta elettronica.
We examine below a phishing attack that uses a fake communication from the DHL company .

In this case the email is in English and invites the recipient to confirm the payment (CHF 1.99,) to complete the delivery of his package CH497586134. The online confirmation must be done within the next 14 days, before the deadline.
He is then requested to click on the following link to pay for the delivery:

CH497586134

At an initial analysis, we notice right away that the message is not at all traceable to DHL <server1(at)smp(dot)com(dot)sg>. Furthermore, the message is very generic and does not contain any reference to either the recipient or the supposed shipment. Besides a small sum is requested to be paid in order to steal sensitive data.
The unsuspecting recipient who, unfortunately, clicks on the link:

CH497586134

will be redirected to a WEB page, which has nothing to do with the DHL's site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.


May 17, 2022 ==> Phishing cPanel

«SUBJECT: <You have (1) new document file shared with you via cPanel iCloud.>

Below we examine a new phishing attempt that comes as a false communication from cPanel (graphical control panel to manage and administer websites and web hosting).

Clicca per ingrandire l'immagine della falsa e-mail di cPanel checerca di rubare le credenziali dell'account di posta elettronica.
The message, in English, notifies the user that a document has been shared via cPanel iCloud sharepoint. It, then, requests the user to click on the attached document to view the file:

View Shared File

Clearly the website management, administration and web hosting company cPanel is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <heinz(dot)schulze(at)mytng(dot)de>, is not from cPanel's official domain.

Anyone who clicks on the View Shared File attachment will be requested to log into his cPanel account to view the attached file.
 
Clicca per ingrandire l'immagine del falso sito web di Aruba, che simula la login di accesso all'account di posta elettronica, per rubare le credenziali di accesso..
In the side image you are required to enter your cPanel account login and password by clicking on the following link:

Access Document

If you enter your data on the deceptive PAGE/ WEBSITE that has already been reported, to log in, this data will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .


May 12, 2022 ==> Phishing Account di Posta elettronica (Email Account)

«
SUBJECT: <Un nuovo file di documento condiviso con te tramite Aruba iCloud> (A new document file shared with you via Aruba iCloud)

Here another phishing attempt, which comes as a false communication from Aruba, aimed to steal the victim's inbox.
Clicca per ingrandire l'immagine della falsa e-mail dell'amministratore dell'account di posta elettronica, che cerca di indurre il ricevente a cliccare sull'allegato per rubare le credenziali di accesso all'account.
The message notifies the user that a document has been shared via Aruba iCloud SharePoint.
It then invites the victim to click on the attached document to view the file, asking to open the attached file:

Visualizza file condiviso.pdf (View shared file.pdf
)

Examining the email, we observe that the message comes from an email address not traceable to any email provider <heinz(dot)schulze(at)mytng(dot)de> and clearly it is not from the recipient's email server. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link Visualizza file condiviso.pdf (View shared file.pdf) will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.



May 10, 2022 ==> Phishing Account di Posta elettronica (Email Account)

«O
SUBJECT:<Caratteristiche di sicurezza dell'accounts> (Account security features)

This month again we find the following phishing attempt, aimed to steal the mailbox of the victim.

Clicca per ingrandire l'immagine della falsa e-mail dell'amministratore dell'account di posta elettronica, che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso all'account.
The message notifies the user an error in the web service and that, therefore, some incoming emails have been put on hold by the Aruba server system. It then invites the user to reset the account to avoid permanent restrictions, through the following link:

Clicca per convalidare   (Click to validate)

Examining the emai, we see that the message comes from an email address not traceable to any email provider <heinz(dot)schulze(at)mytng(dot)de> and clearly it is not from the recipient's email server. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link Clicca per convalidare (Click to validate). will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.


01 May ==> Smishing GreenPass

May opens with a new Green Pass themed smishing attempt.

Clicca per ingrandire l'immagine della nuova campagna di smishing a tema GreenPass...
The scam comes via a text message, seemingly from the Ministry of Health, and informs the user that his Covid-19 certification has been revoked.
Textually, the message states the following:
''La sua Certificazione Covid-19 è stata revocata.
Visiti www[.]certrevocata19[.]byethost5[.]com per riattivarla subito.''
(Your Covid-19 Certification has been revoked.
Visit www[.]certrevocata19[.]byethost5[.]com to reactivate it immediately)


The counterfeit sms uses as a bait the topical Green Pass, to seize the recipient's personal data. In fact  the victim, worried about the sms received, could click on the reported link to reactivate, as soon as possible, his Covid-19 Certification.
Obviouslt's intuitive that the Green Pass revocation can't be done by simple ''manual'' procedure (entering our personal data on an authentication form), since it is issued following a positive molecular swab, and is cancelled following the first rapid antigenic or negative molecular swab, within 24 hours of the outcome.
Moreover, the reported link

www[.]certrevocata19[.]byethost5[.]com

is definitely suspect and not traceable to the Ministry of Health at all.
 
Clicca per ingrandire l'immagine del form di autenticazione dove vengono richiesti dati sensibili per la riattivazione del GreenPass..Si tratta di una TRUFFA!
In any case, clicking on the proposed link, we are redirected to an application form, as shown in the side images.
At first, the form requires the user to enter first and last name as identifying data. Despite the presence of the Ministry of Health logo, the web page is hosted on an entirely different domain.
To complete the reactivation request, however, it is requested to attach, in addition to the victim's ID, even photo of his face ... a definitely  dubious request.
To conclude, we would like to underline that no public and institutional authority requests personal data through texting or emailing.
We also point out that these phishing/smishing campaigns, since they are real scams aimed at stealing your sensitive data, have already been promptly reported by the relevant authorities on their sites and  official social channels, which we invite you to consult.

A little bit of attention and glance, can save a lot of hassle and headaches..

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on Phishing techniques for more details:

06/04/2022 16:51 - Phishing: the most common credential theft attempts in April 2022.
08/03/2022 17:08 - Phishing: the most common credential theft attempts in March 2022
03/02/2022 16:25 -
Phishing: the most common credential theft attempts in February 2022..
04/01/2022 09:13 -Phishing: the most common credential theft attempts in January 2022..
03/12/2021 15:57 - Phishing: the most common credential theft attempts in December 2021..
04/11/2021 09:33 - Phishing: the most common credential theft attempts in November 2021...
07/10/2021 14:38 -
Phishing: the most common credential theft attempts in October 2021..
10/09/2021 15:58 - Phishing: the most common credential theft attempts in September 2021

05/08/2021 18:09 - 
Phishing: the most common credential theft attempts in August 2021....
01/07/2021 15:58 - 
Phishing: the most common credential theft attempts in July 2021 .
07/06/2021 16:44 - 
Phishing: the most common credential theft attempts in June 2021...
12/05/2021 12:38 - 
Phishing: the most common credential theft attempts in May 2021.

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS

Vir.IT eXplorer Lite
has the following special features:
  •  freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files
  • it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
  • through the  Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
  • proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
 

VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices

VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

VirIT Mobile Security l'Antimalware di TG Soft per Android(TM)TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings.

You can upgrade to the PRO version by purchasing it directly from our website: https://www.tgsoft.it/italy/ordine_step_1.asp

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.



How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
  1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify"
  2. Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.


TG Soft's C.R.A.M. (Anti-Malware Research Center)


 

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: