PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in February 2023:

26/02/2023 => Amazon Code
23/02/2023 => Banca SELLA
22/02/2023 => Account posta elettronica (Email Account)
20/02/2023 => DHL
17/02/2023 => Aruba
16/02/2023 => BPER Banca
14/02/2023 => Lidl
14/02/2023 => Q8
10/02/2023 => Intesa Sanpaolo
09/02/2023 => Webmail
08/02/2023 => SexTortion
05/02/2023 => Mooney
04/02/2023 => Aruba
03/02/2023 => Carta YOU
01/02/2023 => Sharepoint
01/02/2023 => Account posta elettronica (Email Account)


These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassle and headache...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

February 26, 2023 ==> Phishing Amazon CODE

«SUBJECT: < RE: account in scadenza, conferma l'iscrizione per guadagnare con Amazon > (RE: account expiring, confirm membership to earn with Amazon)

We examine below the phishing attempt from a fake Amazon  e-mail, aimed to steal the account credentials of the victim.

The message informs the recipient of a fantastic opportunity to earn from home, reserved for a select few people!!! In fact, Amazon offers the opportunity to invest and earn from home with an account reserved for a select few - including the lucky user - and warns him that the account is about to expire.

"However, since we have not received a response from you, we can no longer hold it in pending status. To use it before it is assigned to another person, we suggest you to confirm immediately"

It then invites him to confirm his account, in order to be contacted by their expert for details. To proceed, just click on the following link:

CLICCA QUI  (Click Here)

Examining the email, we see that the message comes from an email address not referable to the Amazon's domain <info(at)couponandomail(dot)ovh>. This is definitely anomalous and should be very suspicious.

Anyone who unluckily clicks on the link  CLICCA QUI (Click Here) will be redirected to an anomalous WEB page which, as you can see from the side image, is graphically well laid out and could mislead an inexperienced user.
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:

https[:]//www[.]amazoncode[.]info[.]fx-amz-code-long-it?ref=fx-....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginablerisks .

February 23, 2023 ==> Phishing Banca SELLA (SELLA Bank)

«SUBJECT: < L'applicazione Sella-BANCA, nuovo aggiornamento > (The Sella-BANK application, new update)

 We examine below the phishing attempt from a fake Banca SELLA e-mail, aimed to steal the credentials of the victim's account.

The message informs the recipient about new updates to the Terms of Service and that therefore, for security reasons, it is necessary to update his information. It then invites him to confirm his information so that his e-mail address or phone number will not be used without his consent. To proceed with the update, he will just click on the following link:

Segui i passi (Follow the steps)

Examining the email, we see that the message is from an email address not referable to the  Banca SELLA's domain <info22(at)strada-pola(dot)org>. This is definitely anomalous and should be very suspicious.

Anyone who unluckily clicks on the link  Segui i passi  (Follow the steps) will be redirected to an anomalous WEB page which, as you can see from the side image, is graphically well laid out and could mislead an inexperienced user.
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:


https[:]//finanziario-sella-anca-on-line[.]shopinas-hero[.]net/H4l7j5dtDh....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated risks easily imaginable.

February 22, 2023 ==> Phishing Account Posta Elettronica (Email Account)

«SUBJECT: < Your Email: **** will be blocked >

We examine below the phishing attempt that aims to steal the credentials of the victim's e-mail account.

The message, in English, informs the recipient that, due to a security update, it is necessary to update his information. It then invites him to update his information within 48h to continue using the mailbox, via the following link:

VERIFY EMAIL

Examining the email, we notice that the message comes from an email address not traceable to the server that hosts the mailbox <info(at)crossroadsrox(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.

February 20, 2023 ==> Phishing DHL

«SUBJECT: < IT:EU-GB zone "Central", UnPAID DUTY>

The following is a new phishing attempt of this month, hiding behind a false communication from the DHL's service, regarding the delivery of an alleged package.

The message notifies the unsuspecting recipient that "the item owned by you has arrived at our office. However, we found that the sender did not pay the taxes for customs clearance. Therefore, the item was detained by DHL's customs handling team."  We see that the email is graphically well laid out. In fact, to make the message more trustworthy, the DHL logo was introduced. These messages are more and more used to perpetrate scams against consumers, who increasingly use e-commerce for their purchases.
The message then invites the user to pay customs clearance fees, otherwise the item will be returned to the sender. To schedule the delivery, it is necessary to click on the following link:

Rilascio della spedizione    (Shipment release)     ( (8(  

February 16, 2023 ==> Phishing BPER Banca (Bank)

«SUBJECT: <Aggiornamento di questa informativa sulla protezione dei dati!> (Update this data protection policy!)

This new phishing attempt comes as a fake e-mail from BPER Banca.

February 14, 2023 ==> Phishing LIDL

SUBJECT: < ...Hai vinto un Ninja Air Fryer > (You won a Ninja Air Fryer)

Below is a phishing attempt, hiding behind a fake communication from LIDL, that brags about a chance to win a new Ninja Air Fryer.

The message, which we quote on the side, is graphically well laid out, and looks like a must-have offer. The lucky user was selected on the supermarket chain's anniversary, to win the fantastic prize by participating in a survey.

"You have been chosen to participate in our Loyalty Program for FREE! It will only take you a minute to receive this fantastic prize."

Examining the email, we notice that the message comes from a suspicious email address <el_rhazrafi.ihs.fst(at)uhp(dot)ac(dot)ma>. This is definitely anomalous and should, at the very least, make us suspicious.


Anyone who  clicks  Fai clic per iniziare ( Click to start) will be redirected to a web page, where you are asked to participate in a short survey to win the prize, a fantastic Ninja Air Fryer.

From the screenshot shown, the site appears to be traceable to LIDL, but we can see that the page is hosted on an anomalous address/domain, which we report below:

https[:]//samplemirrors[.]com/f39bd10421cf1d...

Clicking on INIZIA IL SONDAGGIO, (START THE SURVEY) you are redirected to the next screens, where you are asked to answer 8 questions. Below are some of them ...

Question 1

Question 2

Question 3

Question 4

At the end of the survey, we finally get to a new screen that makes us select our prize, throughs the information provided as a consumer experience. The prize is the Ninja Air Frayer fryer (worth Euro 1126.39) that, for the lucky winners, is for free!!! In fact, all they need to do, is to enter their shipping address and pay the shipping cost and, in 5-7 business days, the prize will be delivered....

Then you are sent to a further page, as shown in the image below, to enter your shipping address and pay the shipping charges.


The page to which you are redirected, to enter your personal data, is hosted on an anomalous address/domain, which we report below:

https[:]//shoppersadres[.]net/c/dRBLA3b?s1=1020b211ea...

In conclusion, we always urge you to be wary of advertising/promotional messaging that brag about  "giving away" valuables, and avoid clicking on suspicious links that could lead to a counterfeit site, placing your most valuable data in the hands of cyber crooks.

14 Febbraio 2023 ==> Phishing Q8

SUBJECT: <Sfida il caro benzina e la sorte: puoi vincere 200€>  (Challenge the high cost of gasoline and fate: you can win €200)

We find again this month, the following phishing attempt, that pretends to be a communication from Q8.

The message is very impactful as it deals with a very current issue that weighs on the pockets of all Italians: the rising prices of fuel "Challenge the high price of gasoline and fate."
The message leverages the chance to win a fuel voucher worth €200 by participating in the lucky draw, through the following link:

PARTECIPA ORA (JOIN NOW)

First, we realize that the alert email comes from an email address <news(at)news.(dot)all29con99(dot)com>  clearly not from the official domain of Q8.

Anyone who unluckily clicks on the link will PARTECIPA ORA  (JOIN NOW) will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.

February 10, 2023 ==> Phishing Intesa Sanpaolo

«SUBJECT: <Sicurezza del cliente - Attiva il nuovo sistema di sicurezza> (Client security - Activate the new security system)

We find again this month the same phishing campaign as in January, coming from a fake e-mail simulating a message from Intesa Sanpaolo.

February 09, 2023==> Phishing Account Posta Elettronica (Emal Account)

«SUBJECT:< Storage Mail Notice >

We examine below the phishing attempt that aims to steal the credentials of the victim's e-mail account.

The message, in English, informs the recipient that he has reached the storage space limit of his mailbox, whose address is given. It then invites him to increase the storage space by proceeding to purchase, through the following link:

Increase Storage Limit

Examining the email, we notice that the message comes from an email address not  traceable to the server that hosts the mailbox <sales(at)t-skype(dot)life>. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks Increase Storage Limit will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected, to enter your mail account credentials, is hosted on an abnormal address/domain, which we show below:

https[:]//s3[.]amazonaws[.]com/appforest_uf/f167583....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated risks easily imaginable.

February 08, 2023 ==> SexTortion

The SexTortion-themed SCAM campaign persists. The e-mail suggests that the scammer gained access to the victim's device, thus used to collect data and personal videos. He then blackmailed the user by demanding payment of a sum of money, in the form of Bitcoin, not to spread among his email and social contacts, a private video of him viewing adult sites.

The following is an extract from the text of the email on the side:

" Your system has been hacked. All the data from your device was copied to our servers. We also recorded a video from your room on which you are watching a porn movie. My virus infected your device through an adult website you recently visited. If you do not know how it works, I will share the details. The Trojan virus gives me full access and control over the device you are using. As a result, I can see the entire screen, turn on the camera and the microphone, and you will never know. I have captured a video from your screen and the device's camera and edited a video in which one part of the screen shows how you are masturbating and other part shows a pornographic video that was opened by you at that time. I can see the whole list of your contacts from the phone and all the social networks. I can send this video to all your phone, email and social networks contacts with one click. Besides, I can send to all the data from your email and messengers. That is, I can destroy your reputation forever."

Then you are asked to send 1200 USD in Bitcoin to the wallet below:"bcXXXXXXXXXXXXXXXXXXXXXX62g'. After receiving the transaction all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives. The victim has 50 hours to make the payment!
Examining the payments made on the wallet indicated by the cyber criminal as of 02/14/2023, there seem to be no transactions.

In such cases we always urge you:

1. not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them
2. If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service.
   

05 Febbraio 2023 ==> Phishing Mooney

«SUBJECT:< Aggiornameto obbligatorio > (Mandatory update)

Again this month we find the following phishing attempt coming from a false communication from Mooney, the Italian Proximity Banking & Payments company.

The message informs the recipient that his account is suspended, due to a failed update.
It then invites him to resolve the problem by updating his account, via the following link:

Aggiornare (Update)

This time the phishing campaign simulates a communication from the Italian online payment company Mooney, which is clearly unrelated to the mass sending of these emails. These are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Examining the text of the message, in addition to the Logo of the company - to further mislead - there is also the email address of the sender that disguises the original one. However it is a specially created label <noreply(at)mooney(dot)it> . Let's always pay close attention before clicking on suspicious links.

Anyone who unluckily clicks Aggiornare (Update) will be redirected to an anomalous WEB page, which has nothing to do with the official site of Mooney,  but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.

February 04 and 17, 2023 ==> Phishing Aruba - Rinnovo automatico (Automatic renewal)

Below we report 2 phishing attempts that simulate messages from Aruba.


In the 2 examples above, which are very similar, the customer is notified that his domain on Aruba is about to expire, and then invites him to renew it before expiration.

In both cases, the purpose is to induce the user to click on the link in the email:

RINNOVA IL DOMINIO (RENEW THE DOMAIN).

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

To detect these phishing attempts, it is first of all necessary to examine the sender's e-mail address, which, as we can see in the 2 reported cases (<staff-aruba(at)online(dot)it> and <noreply(at)tamejida(dot)org>) do not come from Aruba's official domain.

Very often these messages are poorly written emails that contain spelling errors or renewal requests for services that are not expiring, or for security updates, as they leverage urgency to get the user to click.

It's also important to examine the links or attachments that these messages contain, which usually redirect to a counterfeit website asking to enter  your personal information (such as account username and password, or credit card number to make account renewals). If this data are entered, will be used by cyber criminals for criminal purposes.

February 03, 2023 ==> Phishing Carta YOU (YOU card)

«SUBJECT: <Un regalo a sorpresa per te! - La tua Carta YOU senza commissioni> (A surprise gift for you! - Your YOU Card with no fees)

This new phishing attempt pretends to be an e-mail from Carta YOU, which gives the opportunity to apply for a new card without any fees.

Examining the email, we see that the message is graphically well laid out, and actually seems to give the lucky recipient the opportunity to apply for his Carta YOU, by clicking on the following link:

Richiedila qui (Request it here)

To detect these phishing attempts, it is first necessary to examine the sender's e-mail address, which turns out to be very suspicious and not at all referable to Carta YOU <contacto(at)tapas-facil(dot)com>.


Anyone who unluckily clicks Richiedila qui (Request it here) will be redirected to an anomalous, graphically deceptive ,WEB page.
Then, you are asked for your personal data in order to receive your new credit card. The data entry form is hosted on an anomalous address/domain, which we report below:

https[:]//www[.]cartayou[.]it/?channel=newsletter&partnerID=....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

February 01, 2023 ==> Phishing Sharepoint

«SUBJECT: <You have received Incoming fax Documents via Sharepoint>

This new phishing attempt pretends to be an e-mail from Sharepoint, the web app that allows sharing and collaboration via shared access.

The message, in English, informs the recipient that 2 new messages are available, and that he has received 3 faxed documents, related to an alleged order. The link to download the files is then given:

Preview

Examining the email, we realize that the message, marked by the concise and essential textual layout, seems to come from an email address that is very suspicious and not at all referable to Sharepoint:<secured_file27788(at)**** >.


Anyone who unluckily clicks  Preview  will be redirected to an abnormal WEB page, where you are requested to enter your mail account credentials, hosted on an abnormal address/domain, which we report below:

https[:]//s3[.]amazonaws[.]com/appforest_uf/....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

February 01, 2023==> Phishing Account Posta Elettronica (Email Account)

«SUBJECT:< Errore posta in arriνo. > (Incoming mail error)

We examine below the phishing attempt that aims to steal the credentials of the victim's e-mail account.

The communnication informs the recipient that some messages are pending, due to an error in the IMAP/POP configuration of his mailbox, that is reported. It then invites him to correct the error and download the pending messages in order not to lose them, via the following link:

CLICCA QUI  (Click here)

Examining the email, we notice that the message comes from an email address not referable to the server that hosts the mailbox <swarn(dot)bista(at)shauryacements(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks CLICCA QUI  (Click here)  will be redirected to an anomalous WEB page which, as you can see from the image on the side, has nothing to do with the e-mail account manager.
The page to which you are redirected, to enter your mail account credentials, is hosted on an abnormal address/domain, which we show below:

https[:]//dp2ygm3vt4fowsdknzzvmzvor3sp4y6ksa4c3rfjdscuavcry-ipfs-w3s-link[.]translate[.]goog....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

A little bit of attention and glance, can save a lot of hassle and headaches....

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on Phishing techniques for more details:

02/01/2023 15:28 - Phishing: the most common credential and/or data theft attempts in  January 2023...
02/12/2022 15:04 - Phishing: the most common credential and/or data theft attempts in  December 2022....
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022....
05/10/2022 11:55 - Phishing: the most common credential and/or data theft attempts in October 2022...
06/09/2022 15:58 - Phishing: the most common credential and/or data theft attempts in September2022....
04/08/2022 16:39 - Phishing: the most common credential and/or data theft attempts in August 2022...
06/07/2022 12:39 - Phishing: the most common credential and/or data theft attempts in July 2022..
06/06/2022 14:30 - Phishing: the most common credential and/or data theft attempts in  June 2022..
02/05/2022 11:06 - Phishing: the most common credential and/or data theft attempts in  May2022....
06/04/2022 16:51 - Phishing: the most common credential and/or data theft attempts in April 2022...
08/03/2022 17:08 - Phishing: the most common credential and/or data theft attempts in March 2022..
03/02/2022 16:25 - Phishing: the most common credential and/or data theft attempts in February 2022...

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
• fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan
•  It dentifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
•  proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android DevicesTM

VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings

You can upgrade to the PRO version by purchasing it directly from our website https://www.tgsoft.it/italy/ordine_step_1.asp

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.

How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. Any suspect  email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.




TG Soft's C.R.A.M. (Anti-Malware Research Center)