PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in August 2022:

31/08/2022 => Account Posta Elettronica (Email Account)
29/08/2022 => Aruba iCloud
26/08/2022 => Nexi Smishing
22/08/2022 => Comfort e pulizia in casa  (Home comfort and cleanliness)- Dyson V11
22/08/2022 => SCAM - Donazione (Donation)
18/08/2022 => SumUp
17/08/2022 => Aruba - Disattivazione casella e-mail (Mailbox deactivation)
16/08/2022 => SCAM - CONVOCAZIONE GIUDIZIARIA (SUMMONS)
16/08/2022 => Texas Roadhouse
15/08/2022 => Target Shopper
10/08/2022 => Banco Mediolanum
09/08/2022 => Account di posta (Email Account)
08/08/2022 => Aruba - Dominio scaduto (Expired domain)
05/08/2022 => Aruba - Dominio scaduto (Expired domain)
05/08/2022 => Aruba - Recupera i messaggi (Retrieve messages)
04/08/2022 => SCAM - INTERPOL
04/08/2022 => Aruba CloudFlare
03/08/2022 => Spedizione in attesa (Pending shipment)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassle and headache..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

August 31, 2022 ==> Phishing Account di posta (Email Account) - Syncing Error

«SUBJECT: < Re: Syncing Error - (6) Incoming failed mail. >

We examine below the phishing attempt aimed at stealing the victim's inbox.

The message, in English, notifies the recipient that he has 6 new incoming messages with the subject line: "Re:Balance Payment as of 8/31/2022 5:10:45 a.m.", which have been blocked, since considered as Spam. The victim, then, can view his e-mails by clicking on the following link and logging in to his account:

View Emails

When we examine the email, we notice that the message comes from an email address not traceable to any email provider <noreply(at)cpanel(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link View Emails will be redirected to an anomalous WEB page.

As we can see from the side image, clicking the link, we are directed to a web page that mimics reasonably well the official Gmail's site. The simulation is mainly obtained through the graphic devices used, that can mislead the user.
The account management access page is hosted on an anomalous address/domain, which we report below:

https[:]//accounts[.]google[.]com/v3/signin/identifier...

If you enter your Gmail account login information on this FORM, to log in to your mail account, it will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

August 29, 2022 ==> Phishing Aruba iCloud

«SUBJECT: < Hai ricevuto un documento condiviso per le imprese tramite iCloud Aruba.it > (You  received a shared document for business through iCloud Aruba.com.)

Here is another phishing attempt that comes as a false communication from Aruba.

The message informs the recipient that a new shared document is available through Aruba iCloud. It then invites the user to view the PDF file through the following link:

Visualizza PDF in linea (View PDF online)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <customercares(at)icloud(dot)com>, is not from Aruba's official domain.
 
Anyone who unluckily clicks on the link Visualizza PDF in linea,  (View PDF online) will be redirected to an anomalous WEB page,which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

August 26, 2022==> Smishing Nexi

We examine below a new smishing attempt behind a fake text message from Nexi.

August 22, 2022==> Phishing Comfort e pulizia in casa (Home comfort and cleanliness)

Below is a phishing attempt, hiding behind a fake post, that brags about the chance to win a Dyson V11 vacuum cleaner at a very tempting price...clearly it is a FRAUD!

The message, which we reproduce on the side, informs the victim, that due to a shipment confiscation of Dyson V11 vacuum cleaners destined for the Lidl chain in Italy, the well-known appliance - that has a much higher value - is available at the incredible price of 1.95 euros.

Examining the advertisement post, we notice right away that the image depicting the discounted vacuum cleaner - intended for the Lidl chain - may be misleading as the well-known logo of the Lidl supermarket chain was used. However, with more attention, we can see that the other products depicted are not Lidl's usual products.


Anyone who clicks on the link will be redirected to a web page, where the payment of the small sum of Euro 1.95 is required for a chance to win the fantastic Dyson V11...

To make the message more trustworthy, at the bottom of the post there are several users' comments who apparently received their Dyson V11 - paying the small sum of Euro 1.95 - directly at home! The comments also include pictures depicting the actual receipt of the appliance.

Surely if so many users have been lucky why not try your luck? In any case, the amount required is really small....
Instead, the purpose of the cyber criminals is just to induce the user to enter his sensitive data and credit card details requested for payment!
Anyway we can see that among the various comments, some users recognize in this post a real attempt of FRAUD!

To conclude, we always urge you to be wary of advertisements/promotional messages that brag about "giving away" valuables, and avoid clicking on suspicious links which could lead to a counterfeit site, putting your most valuable data in the hands of cyber crooks for their use and profit.

August 22, 2022 ==> SCAM Donazione (Donation)

Below is a SCAM attempt. This is a fraud attempt aimed at stealing or transferring large sums of money through false communication by the scammer.

The message informs the recipient that he has been selected as one of the lucky winners of a donation worth $100,800,000.00. The message would appear to come from Ms. "MacKenzie Scott Former wife of the CEO and founder of Amazon" , the benevolent creator of this initiative that is donating $4 billion to charities, to "provide support to people suffering economically from the COVID-19 pandemic."
He then invites the victim to write to the address listed <stv(at)kyiv(dot)npu(dot)gov(dot)ua> for more information.

Clearly, this is a scam attempt for the purpose to transfer large sums of money... the goal of cyber criminals undoubtedly remains to get hold of your data in order to use them for illegal purposes...

August 18, 2022 ==> Phishing SumUp

SUBJECT:  <L'applicazione SumUp, nuovo aggiornamento> ; <Nuovo aggiornamento#035742>  (The SumUp application, new update); (New Update#03574)

Below is a new phishing attempt, hidden behind a false communication from SumUp, the "POS Mobile" payments software that enables to pay using your smartphone or tablet.

On the side we can see 2 examples of phishing. In both cases, the message informs the recipient that he needs to update his contact information (E-mail and/or Mobile Number) by logging into their SumUp's account. It then says that the update operation is not available in the mobile version, but it's necessary to use the following links (we observe that the link proposed in the second image is in German):

Il Mio Account (My ccount)

Mein Konto

At first we notice that the text of the email is very generic and thin. Furthermore, the alert email comes from an email address <hello(at)announcement(dot)deliveroo(dot)it> that is clearly not from the official SumUp's domain.

Anyone who unluckily clicks on the link: Il Mio Account (My ccount) or Mein Konto will be redirected to an anomalous WEB page, which has nothing to do with the official SumUp's site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

August 17, 2022 ==> Phishing Aruba "Disattivazione casella e-mail" (Mailbox deactivation)

«SUBJECT:  < Disattivazione casella e-mail per scadenza dominio. > (Mailbox deactivation due to domain expiration)

Here is another phishing attempt, that comes as a false communication from Aruba.

The message informs the recipient that his domain, hosted on Aruba, will expire on 18/08/2022.  If the domain is not renewed by that date, it will be deactivated togheter with all associated services - including mailboxes - so it won't be possible to send and receive messages It then invites the user to renew the domain through the following link:

https[:]//hosting[.]aгuba[.]it/rinnovare-un-dominio/modalita-di-rinnovo/rinnovo-standard[.]aspx

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <postmaster(at)sidexpress(dot)com>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link https[:]//hosting[.]aгuba[.]it/rinnovare-un-dominio/modalita-di-rinnovo/rinnovo-standard[.]aspx will be redirected to an anomalous WEB page,which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes

August 16, 2022 ==> SCAM - CONVOCAZIONE GIUDIZIARIA (SUMMONS)

«SUBJECT: <Rapporto _n.1700998 del 16/08/2022/ Re: ACCUSA!> (Report _n.1700998 of 16/08/2022/ Re: ACCUSATION!)

Below is another SCAM attempt dealing with a false child pornography complaint, that comes via email allegedly from "Mr. LAMBERTO GIANNINI elected to the presidency of Europol, commissioner general of the State Police, head of the child protection brigade
(BPM)".

The message that comes through a very suspicious email  <gianninilamberto20(at)gmail(dot)com>, notifies the victim that a complaint has been received against him for "activity via your Internet connection" and invites him to open the following .pdf attachment: <MANDATO-PJ2022 1 1>. When we open the attachment, which we see below, we notice that it is set up in a graphically deceptive manner, and seems to be signed by "Mr. LAMBERTO GIANNINI, Director General of the State Police." The complaint subject of the message, seems to refer to a case of child pornography, pornographic sites, cyberpornography, pedophilia, and exhibitionism uncovered following a computer seizure.

August 15, 2022 ==> Phishing Target Shopper

SUBJECT: <Congratulations! You can get a $50 Target gift card!>

This new phishing attempt pretends to be a communication from Target Shopper, a shopper marketing agency.

The message, in English, informs the recipient that he has been selected among the participants, in the monthly promotion, for a chance to win a Gift Card worth $50.
It then invites the user to participate, via the following link:

Click here to get started

At first we notice that the text of the email is very generic and thin. Furthermore, the alert email comes from an email address <TargetOpinionRequested(at)ikeasurvey(dot)za(dot)com> that is clearly not from the official Target Shopper's domain.

Anyone who unluckily clicks on the link Click here to get started will be redirected to an anomalous WEB page, which has nothing to do with the official Target Shopper's site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

August 10, 2022 ==> Phishing Banco Mediolanum

SUBJECT: <Necessarie nuove misure di sicurezza.!!>  (New security measures needed.!!!)

This new phishing attempt pretends to be a communication from Banco Mediolanum.

The message informs the recipient that, due to new security measures, if he does not update all online services linked to their Banco Mediolanum account, they could be disabled.
It then invites the user to update his Banco Mediolanum account, via the following link:

https//bancamediolanum[.]it/ecm2022/?login=true

At first, we notice that the text of the email is very generic and lacks information about the account holder. Moreover, the alert email comes from an email address <supportMediolanum(at)studiowittenau(dot)nl> that is clearly not from Banco Mediolanum's official domain. However, the cybercrook had the graphic trick to include the well-known Banco Mediolanum logo and some identifying data at the bottom, such as the VAT number.

Anyone who unluckily clicks on the link https//bancamediolanum[.]it/ecm2022/?login=true will be redirected to an anomalous WEB page, which has nothing to do with the official  Banco Mediolanum's site, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

August 09, 2022 ==> Phishing Account di posta (Email Account)

«SUBJECT: < Email Verification Update To Avoid Shut Down >

We examine below the phishing attempt aimed at stealing the mailbox of the victim.

The message, in English, informs the recipient that it is necessary to verify his mail account, following a system update, to avoid a shutdown. It then invites the victim to confirm his data, via the following link:

View Pending Messages In Mail Saver.

Examining the email, we notice that the message comes from an email address not  traceable to any email provider <noreply(at)cpanel(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link View Pending Messages In Mail Saver.  will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

August 08, 2022 ==> Phishing Aruba - Dominio scaduto (Expired domain)

«SUBJECT:< Aruba.it : Notifica nuovo messaggio ❗ > (Aruba.it : New Message Notification)

Here is another phishing attempt that comes as a false communication from Aruba.

The message informs the recipient that his domain, hosted on Aruba, will expire on 09/08/2022.  If the domain is not renewed by that date, it will be deactivated togheter with all associated services,  - including mailboxes - so it won't be possible to send and receive messages. It then invites the user to renew the domain through the following link:


Clicca qui (Click here)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient

Examining the text of the message, we notice right away that the sender's e-mail address <supportortsuppoemupport(at)lvpik-nrw(dot)de>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link Clicca qui (Click here) will be redirected to an anomalous WEB page,which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes

August 05, 2022==> Phishing Aruba - Dominio scaduto (Expired domain)

«SUBJECT: < Il dominio è scaduto, rinnovalo ora. > (The domain has expired, renew it now.)

Here is another phishing attempt that comes as a false communication from Aruba.

The message informs the recipient that his domain, hosted on Aruba, will expire on 05/08/2022.  If the domain is not renewed by that date, it will be deactivated togheter with all associated services,  - including mailboxes - so it won't be possible to send and receive messages. It then invites the user to renew the domain through the following link:

RINNOVA ORA CON UN CLICK (RENEW NOW WITH A CLICK)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <support(at)robertoferretti(dot)it>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link RINNOVA ORA CON UN CLICK (RENEW NOW WITH A CLICK), will be redirected to an anomalous WEB page,which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

August 05, 2022==> Phishing Aruba

«SUBJECT: < Non è stato possibile recapitare il messaggio alla tua casella di posta, risolvilo > (The message could not be delivered to your inbox, fix it)

Here is another phishing attempt that comes as a false communication from Aruba.

The message informs the recipient that there are 2 new messages sent but not successfully delivered to his mailbox hosted on Aruba, because "Aruba has a new mailbox management policy." It then warns the user that it will take 48 hours for the system to retrieve the pending messages. However, if he wants to retrieve them sooner - to prevent them from being rejected - he can renew through the following link:

Accedi di nuovo qui per recuperare i messaggi (Login here again to retrieve your messages)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <holger(dot)reimer(at)mytng(dot)de>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link Accedi di nuovo qui per recuperare i messaggi (Login here again to retrieve your messages),  will be redirected to an anomalous WEB page. From the image below we notice that an authentication mask appears, where you are asked to enter your email and password to access your mail account.

The screen that appears is graphically deceptive in that the cyber criminal had the foresight to include the well-known Aruba logo.
At a glance we notice especially that the login page has an anomalous address/domain....
In the image we can see that the page hosting the authentication form is:

https[:]//parkapartamenty[.]pl/wp-admin/user/user[.]MyAccount[.]login[.]Aruba/Aruba...

August 04, 2022 ==> Phishing Aruba CloudFlare "Rinnovo non riuscito" (Failed renewal)

«SUBJECT: < Un documento è stato condiviso con te per motivi di lavoro tramite Aruba.it Cloudflare > (A document was shared with you for business purposes via Aruba.it Cloudflare)

Here we find again this month the following phishing attempt, that comes as a false communication from Aruba.

The message informs the recipient that a new document, shared through Aruba.it CloudFlare, is available. It then invites the user to view the PDF file through the following link:

Visualizza PDF in linea (View PDF online)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <holger(dot)reimer(at)mytng(dot)de>, is not from Aruba's official domain.

Anyone who unluckily clicks on the link Visualizza PDF in linea, (View PDF online) will be redirected to an anomalous WEB page.
From the image below, we see that you are asked to enter the password of the mailbox -subject of the scam - through an authentication mask.

The screen that appears is graphically deceptive, in that the cyber criminal had the foresight to insert images of Aruba Cloudflare.
At a glance we notice especially that the login page has an anomalous address/domain....
In the image we can see that the page hosting the authentication form is:

https[:]//ecriture-ecoute[.]fr/wp-content/webmailbeta[.]aruba[.]it/main/user/... If you enter your data on this FORM to perform verification/confirmation of your data, the data will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

August 03, 2022 ==> Phishing: Spedizione in attesa (Pending shipment)

«SUBJECT: < Re: Spedizione in attesa di conferma consegna e possibili opzioni #047-416571 > (Re: pending shipment delivery confirmation and possible options #047-416571)

Here we find again this month the phishing attempt hiding behind a false communication from the Italian Postal Service, regarding the delivery of an alleged package.

The message notifies the unsuspecting recipient that his package is awaiting delivery, and that he must confirm the delivery address within 2 days, otherwise the package will return to the sender. The tracking code <371-34632900> is given. We see that the email is graphically well laid out to make the message look more trustworthy, and is apparently from the Italian Postal Service Poste Italiane. These messages are increasingly being used to scam consumers who, imore and more, use e-commerce for their purchases.
The message then invites the user to schedule delivery through chat bott, by clicking on the following link:

AVVIA LA CHAT (start the chat)
 
The alert email comes from an email address <web(at)glesys(dot)com> that isn't from any known courier. Anyone who clicks on the link will be redirected to a web page, which graphically mimic the Track&Trace page and alerts of 1 pending message, asking the user to open it.
We notice in the side image, however, that the url address on the broswer bar, has nothing at all to do with Track&Trace's authentic domain:
https[:]//agretermco[.]com/?ud=YJAjlbHmRgf0J...

The next screen gives us information on the status of the package "Stopped at the distribution hub" and asks us to choose the mode for the new delivery, at a cost of €2.

The subsequent screen asks us how we prefer the package to be delivered: "I want it delivered to me" or "I will pick it up myself."

This is followed by 2 more questions like the previous one, where we are asked where we prefer the package to be delivered: "At home" or "At work" and when we prefer it to be delivered: "Weekdays" or "Weekends."
After selecting our preferences, we finally arrive at a new screen confirming the sending of the package, with estimated delivery in 3 days....Then you are redirected to a further page to enter your contact details and pay the €2 shipping cost. 

From the image on the side we notice that our personal information is actually requested to send the package and then the payment. As you can see, the login page is hosted on an abnormal address/domain, that clearly has nothing to do with Track&Trace...

https[:]//sitebest[.]store/c/THHFvF9?s1=102d3dfb...

The purpose of this elaborate fake email, is to induce the user to enter his personal information.
To conclude, we always urge you to be wary of any email asking for confidential data, and avoid clicking on suspicious links which could lead to a counterfeit site, difficult to distinguish from the original, thus putting your most valuable data in the hands of cyber crooks for their use and profit