PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in March 2023:

28/03/2023 => Smishing - GLS Ritira il tuo pacco (Pick up your package)
27/03/2023 => SexTortion
16/03/2023 => SexTortion
16/03/2023 => Aruba - Dominio in scadenza (Expiring domain)
14/03/2023 => Aruba - Dominio in scadenza  (Expiring domain)
10/03/2023 => Aruba
08/03/2023 => SexTortion
07/03/2023 => Q8
07/03/2023 => Aruba
01/03/2023 => Unieuro


These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassle and headache...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Securityy
  

• Acknowledgements

• How to send suspicious emails for analysis

March 28, 2023 ==> Smishing: GLS Ritira il tuo pacco (GLS Pick up your package)

Here we find again a scam attempt through text messages hiding behind a false communication regarding the delivery of an alleged package.

The message notifies the unsuspecting recipient, that his  package was delivered to the delivery point on 28-03-2023. A link is then given to view the delivery point where to pick up the package.

Anyone who clicks on the link will be sent back to a web page, from which he can reschedule the delivery of the allegedly pending package:


The tracking code to be used is then provided. We see, however, in the side image, that the url address of the broswer bar is very suspicious:

itgiftclub[.]live
 

From the image below we are notified that the delivery of the package is pending due to non-payment of the shipping cost of Euro 2.00. Clicking on ''Programma la consegna adesso' (Schedule your delivery now) you are referred to the next screen.

The next screen asks us for the delivery method : "I want it to be delivered to me" or "I will pick it up myself "

This is followed by 2 more screens like the previous one, which ask us where we prefer the package to be delivered: "At home" or "At work", and when we prefer it to be delivered: "Weekdays" or "Weekends."
After selecting our preferences, we finally arrive at a new screen confirming that the package has been sent, with estimated delivery by 31/03/2023, after payment of shipping costs....At this point by clicking on ''Inserisci le informazioni per la consegna'  ('Enter your delivery information) you are sent to an additional page to enter your contact information and pay the shipping charge of €2.00.


theproducttomiss[.]net

The purpose of all this is to induce the user to enter his or her personal information. Positive comments, to make the message truthful, are also reported from other users who seem to have received their package...

To conclude we always urge you to be wary of any email asking for confidential data, and to avoid clicking on suspicious links that could lead to a counterfeit site difficult to distinguish from the original, because you put your most valuable data in the hands of cyber crooks.

March 27, 2023 ==> SexTortion

The SexTortion-themed SCAM campaign persists. Below is another example of a campaign where, unlike the other examples given, in this case the victim's password is also included in the email text, to make the scam more credible.

The following is an extract from the text of the email on the side:

" Few months back, I managed to get access to your device that you use for internet browsing. After that, I was observing the whole internet activity of yours. here is the proof I hacked this email. Your password at the time when I got access to your email: ***. as a systematic adult website visitor, you are the only one who is responsible for all the consequences of that. Simply speaking, all the websites visitede by you, have helped me to gain access to data of yours. Trojan horse has been uploaded by me to your driver system, and it continuously updates its signaturesnumerous times throughout the day, with the intention of making antivirus unable to notice it. In addition, it enables me with access to microphone as well as camera of yours. Hereby, I could easily back-up all your information, as well as social media, photos, contact list and chats. Not long time ago, a brilliant idea has visited my head to montage the video in one section, of the screen [ ...] whereas the original video is currently playing on another section of the screen. That  was so entertaining. Make no mistake that I can simply share this video to entire contact list of yours via several mouse clicks, and I guess that you would definitely prefer to avoid this scenario from coming true."

A request is then made to deposit a sum of 1650USD on the wallet provided for the payment.
Examining the payments made on the wallet indicated by the cyber criminal as of 03/29/2023, the following transactions result:

"12XgXXXXXXXXXXXXXXXXXXXXXXqdj" results 1 transaction in the amount of 1705,56 USD.



In such cases we always urge you:

1. not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service.

March 14 - 16, 2023 ==> Phishing Aruba - Rinnovo automatico (Automatic renewal)

«SUBJECT: <Caselle@**** in scadenza > (Boxes@**** expiring)

Here is another phishing attempt that comes from a false communication from Aruba.

The message informs the recipient that his domain hosted on Aruba, linked to his mail account, will expire on 16/03/2023. It then explains to him that if the domain is not renewed, all the services associated with it -  including the mailboxes - will be deactivated, so he will no longer be able to receive and send messages. It therefore invites the user to renew the domain through the following link
 
RINNOVA IL DOMINIO (RENEW THE DOMAIN)


Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address <nesbt(at)nesbt(dot)com> is not from Aruba's official domain.

Anyone who unluckily clicks on the link RINNOVA IL DOMINIO  (RENEW THE DOMAIN) will be redirected to an anomalous WEB page, which has nothing to do with the official site of Aruba,  but has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.

March 08 -16, 2023 ==> SexTortion

The SexTortion-themed SCAM campaign persists. The e-mail would seem to suggest that the scammer gained access to the victim's device, which he used to collect data and personal videos. Then he blackmailed the user by demanding payment of a sum of money, in the form of Bitcoin, not to divulge among his email and social contacts a private video of him viewing adult sites.

The following is an extract from the text of the email on the side:

" For the last couple of months, I have been watching you. Still wondering how is that possible? Well, you have been infected with malware originating from an adult website that you visited. You may not be familiar with this, but I will try explaining it to you. with help of Trojan Virus, I have complete access to a PC or any other device. this simply means I can see you at any time I wish to on your sceree by simply turning on your camera and microphone, without yeven noticing it. In addition, I have also got access to your contacts list and all your correspondence. You may be asking yourself "but my pc has an active antivirus, how is this even possible? why didn't I receive any notification?". Well the answer is simple: my malware uses drivers, where I update the signatures every four hours, making it undetectable, and hence keeping your antivirus silent. I have a video of you wanking on the left screen, and on the right screen , the video you were watching while masturbating. Wondering how bad could this get? With just a single click of my mouse, this video can be sent to all your social network, and e-mail contacts. i can also share access to all your e-mail correspondence and messengers that you use".

The 2 examined campaigns of March 8 and 16, report a ransom demand of 1450 and 1600 USD in Bitcoin, respectively.  Analyzing the payments made on the two wallets indicated by the cyber criminal as of 03/29/2023, the following transactions result:

"1KRBXXXXXXXXXXXXXXXXXXXXXXMSJ" there appear to be no transactions;

"1EMwXXXXXXXXXXXXXXXXXXXXXXAhq"  results 1 transaction in the amount of 1455,34 USD.



In such cases we always urge you

1. not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service.
   

March 07, 2023 ==> Phishing Q8

SUBJECT:<Partecipa al sondaggio e vinci 200€ di Buoni Benzina> (Participate in the survey and win €200 of Petrol Vouchers)
We find again this month, the following phishing that pretends to be a communication from Q8.

The message is very impactful as it deals with a very current issue that weighs on the pockets of all Italians: the rising fuel prices "Challenge the high price of gasoline and fate."
The message exploits the chance to win a fuel voucher worth €200 by participating in the lucky draw, through the following link:

PARTECIPA ORA     (JOIN NOW)

First we note that the alert email comes from an email address <news(at)news(dot)all29con99(dot)com> that is clearly not from the official domain of Q8.

Anyone who unluckily clicks on the link  PARTECIPA ORA  (JOIN NOW) will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.

March 07 and 10, 2023 ==> Phishing Aruba - Rinnovo automatico (Automatic renewal)

Below we report 2 phishing attempts that come as a false communication from Aruba.


In the 2 examples above, which are very similar, the customer is notified that his domain on Aruba is about to expire and then invites him to renew it before expiration.

In both cases, the purpose is to lead the user to click on the link in the email:

RINNOVA   CON UN CLIC  (RENEW WITH A CLICK)

RINNOVA IL DOMINIO  (RENEW THE DOMAIN)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

To detect these phishing attempts, it is first of all necessary to examine the sender's e-mail address which, as we can see in the 2 reported cases  - <support(at)oraclerealestate(dot)it> and <support(at)smarthub(dot)tj> - do not come from Aruba's official domain.

Very often these messages are poorly written emails that contain spelling errors or renewal requests for not expiring services, since they use urgency or data security to obtain user's information.

It's also important to examine the links or attachments that these messages contain, which usually redirect to a counterfeit website asking to enter  your personal information (such as account username and password, or credit card number to make account renewals). If this data are entered, will be used by cyber criminals for criminal purposes.

March 01, 2023 ==> Phishing Unieuro

SUBJECT: < Festeggia l'anniversario di Unieuro con un Pallet Elettronica GRATUITO > (Celebrate Unieuro's anniversary with a FREE Electronics Pallet)

Below is a phishing attempt, hiding behind a false communication apparently from Unieuro, that brags about a chance to win a Pallet of Home Appliances.

The message, which we quote on the side, is graphically well laid out, and looks like a must-have offer. The lucky user was selected, on the anniversary of the Italian electronics and home appliances chain, to win the fantastic prize by participating in a survey.

"You have been chosen to participate in our Loyalty Program for FREE! It will only take you a minute to receive this fantastic prize."

Examining the email, we see that the message comes from a suspicious email address <el_rhazrafi(dot)ihs(dot)fst(at)uhp(dot)ac(dot)ma>. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who clicks on the link INIZIA ORA  (START NOW) will be redirected to a web page, where you are asked to participate in a short survey, to win new Unieuro branded home appliances.

From the screenshot shown, the site appears to be referable to Unieuro, but we can see that the page is hosted on an anomalous address/domain, which we report below:

https[:]//chemicalsgas[.]com/cff02e58...

Cicking on INIZIA ORA, (START NOW) you are redirected to the next screens, where you are asked to answer 8 questions. Below are some of them...

Question 1

Question 2

Question 3

Question 4

At the end of the survey, we finally get to a new screen that makes us select our prize, thanks to the information provided as a consumer experience. By selecting the appliance pallet - which includes a number of items returned from the electronics section (worth Euro 699.99) -  for the lucky winners the prize is offered for free!!! You just have to pay shipping costs and enter your shipping address and, in 5-7 business days, the prize will be delivered....

You are then sent to a further page, as shown in the image below, to enter your shipping address and pay the shipping charges.


The page to which you are referred, to enter your personal data, is hosted on an anomalous address/domain, which we report below:

https[:]//productsmania[.]net/c/RzeGD77?...

In conclusion, we always urge you to be wary of advertising/promotional messaging that brag about "giving away" valuable items, and avoid clicking on suspicious links that could lead to a counterfeit site, placing your most valuable data in the hands of cyber crooks for their uses  and profit.

A little bit of attention and glance, can save a lot of hassle and headaches....

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on Phishing techniques for more details:

06/02/2023 17:29 - Phishing: the most popular credential theft attempts in February 2023...
02/01/2023 15:28 - Phishing: the most popular credential theft attempts in January 2023...
02/12/2022 15:04 - Phishing: the most popular credential theft attempts in December2022...
04/11/2022 17:27 - Phishing: the most popular credential theft attempts in November 2022...
05/10/2022 11:55 - Phishing: the most popular credential theft attempts in October 2022...
06/09/2022 15:58 - Phishing: the most popular credential theft attempts in September 2022...
04/08/2022 16:39 - Phishing: the most popular credential theft attempts in August 2022...
06/07/2022 12:39 - Phishing: the most popular credential theft attempts in July 2022...
06/06/2022 14:30 - Phishing: the most popular credential theft attempts in June2022...
02/05/2022 11:06 - Phishing: the most popular credential theft attempts in May2022...
06/04/2022 16:51 - Phishing: the most popular credential theft attempts in April2022...
08/03/2022 17:08 - Phishing: the most popular credential theft attempts in March 2022..

Prova Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.


Vir.IT eXplorer Lite has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
•  interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
• It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
•  proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android DevicesTM

VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings.

You can upgrade to the PRO version by purchasing it directly from our website https://www.tgsoft.it/italy/ordine_step_1.asp

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.

How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. Any suspect cemail can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. Save  the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other)).

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.

TG Soft's C.R.A.M. (Anti-Malware Research Center)