PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in May 2023:

31/05/2023 => Coinbase
24-25/05/2023 => Account di Posta Elettronica (Email account)
25/05/2023 => SexTortion
24/05/2023 => Aruba - Dominio scaduto (Expired domain)
22/05/2023 => Europages
22/05/2023 => Webmail
22/05/2023 => TISCALI
22/05/2023 => Aruba - PEC Webmail
18/05/2023 => Online Banking
15/05/2023 => Aruba - Disattivazione casella (Mailbox deactivation)
15/05/2023 => Facebook Policy
09/05/2023 => Aruba - Conferma il rinnovo (Renewal confirmation)
09/05/2023 => Tinder
08/05/2023 => TISCALI
06/05/2023 => Mooney
06/05/2023 => Istituto Bancario (Bank)
04/05/2023 => Mooney
04/05/2023 => Account Posta Elettronica (Email account)
01/05/2023 => Tinder
01/05/2023 => Aruba - Dominio scaduto (Expired domain)


These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences .

• A little bit of attention and glance, can save a lot of hassle and headache...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

May 31, 2023 ==> Phishing Coinbase

SUBJECT: <New device!>

Let's examine below a new phishing attempt aimed to steal the login credentials of the victim's cryptocurrency  wallet, from San Francisco-based company Coinbase.

Coinbase is an online platform used to buy, sell, transfer and store cryptocurrency, established in 2012 in San Francisco, California.

The message, in English, which we examine below, informs the recipient that abnormal access has been detected from his Coinbase's account. The location and date of access is given (generically "Today"). It then invites him to confirm access to his account, or to remove the application immediately if he has not allowed access, via the following link:

coinbase[.]com/secure-wallet

Examining the email we notice that the message comes from a highly suspicious email address, which does not seem traceable to the official Coinbase's domain <admin(at)sademcicekcikolata(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.

May 24-252023==> Phishing Email account

The following are 2 phishing attempts aimed to steal the credentials of the victim's mailbox.


In the first example, in English, the message informs the recipient that due to an e-mail server error, there are 10 undelivered messages. It then invites him to resolve the indicated error by following the instructions provided; once the problem is resolved, the suspended messages will be available in the inbox within 20 minutes. The link to proceed with the error remediation is then given:

Clear Error code

In the second circumstance, on the other hand, he is informed that an upgrade of the mail system is available, and he can get all the new features available by performing it. The new features are listed and some of them are: increased upload speed; updated AntiVirus Software; integrated Webmail/Mobile chat... Therefore, it invites the recipient to click the following link to upgrade for a better user experience:

Upgrade Account

In the first example the message text is contained in an image linkable to a counterfeit site already flagged as a DECEIVING site.... Both messages come from the same e-mail address that does not appear to be referable to any e-mail provider <no-reply(at)centroaccessori(dot)eu>. This is definitely anomalous and should, at the very least, make us suspicious.

Very often these messages are poorly written emails that contain spelling errors or renewal requests for services that are not expiring, or updates required to continue using the service, as they leverage urgency to get the user to click.

It's also important to examine the links or attachments that these messages contain, which usually redirect to a counterfeit website asking to enter  your personal information (such as account username and password, or credit card number to make account renewals). If these data are entered, will be used by cyber criminals for criminal purposes.

May 25, 2023 ==> SexTortion

The SexTortion-themed SCAM campaign persists. The e-mail suggests that the scammer gained access to the victim's device, which he used to collect data and personal videos. He then blackmailed the user by demanding payment of a sum of money, in the form of Bitcoin, not to divulge among his email and social contacts a private video of him viewing adult sites.

The following is an extract from the text of the email on the side:

" I am a hacker who has access to your operating system. I also have full access to your account. I 've been watching you for a few months now.The fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I'll explain. Trojan Virus give me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have an access to all your contacts and all your correspondence. Why your antivirus did not detect malware? Answer: my malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent. I made a video showing how you satisfy yourself in the left side of the screen, and in the right half you see the video that you watched. with one click of the mouse I can send this video to all your emails and contacts on social networks. I can also post access to all your email correspondence and messengers that you use"

At this point you are asked to send 1300 USD in Bitcoin to the wallet listed below: "bc1XXXXXXXXXXXXXXXXXXXXXX3fv'. After receiving the transaction all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives. The victim has 50 hours to make the payment!

Examining the payments made on the wallets that were examined this month as of 5/31/2023, the following movements result:

wallet: "bc1XXXXXXXXXXXXXXXXXXXXXX3fv' => 0 transactions
wallet: "18PXXXXXXXXXXXXXXXXXXXXXXXz9H '=> 0 transactions

In such cases we always urge you:

1. not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service.

May 22, 2023==> Phishing EuroPages

«SUBJECT: <Felix Dietrich: Ti ha inviato un messaggio di richiesta del prodotto> (Felix Dietrich: He sent you a product request message)

We find the following phishing attempt, that appears to come from a fake communication from EuroPages, and is aimed to steal the login credentials of the victim's account.

The message appears to come from EuroPages, the largest international B2B sourcing platform, and notifies the user that a message has arrived regarding his product listed on EuroPages from a certain "Felix Dietrich." It then invites the user to log into his account, to view the request message, via the following link:

ACCEDI AL MIO ACCOUNT     (LOGIN TO MY ACCOUNT)

Examining the email we notice that the message comes from an email address not referable to the official EuroPages domain <a(dot)papoff(at)gonutscommunication(dot)it>. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link ACCEDI AL MIO ACCOUNT (LOGIN TO MY ACCOUNT) will be redirected to an anomalous WEB page.

May 22, 2023 ==> Phishing Webmail

SUBJECT: <ERRORS DETECTED ON YOUR WEBMAIL ACCOUNT.>

We examine below the phishing attempt that aims to steal the credentials of the victim's e-mail account.

The message, in English, informs the recipient that his mailbox will be deactivated, by 24/05/2023 due to unresolved errors. It then invites him to resolve the account errors in order to continue using his account, through the following link:

RESOLVE ERRORS NOW

Examining the email, we notice that the message comes from an email address that does not seem traceable to the server hosting the mailbox <marijana(at)tr-kircek(dot)hr>.
This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link RESOLVE ERRORS NOW will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, that we report below:

https[:]//ipfs[.]io/ipfs/bafkreig5tohfqms2bpph6agk33....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks, with all the associated easily imaginable risks.

May 22, 2023==> Phishing Aruba - PEC Webmail

SUBJECT: <Scadenza password> (Password expiration)

Here we find another phishing attempt coming from a false communication from Aruba.

The message informs the recipient that the password of his e-mail account hosted on Aruba is expiring in 24 hours, on 22/05/2023. It then informs him that he will have to renew his password in order to continue using it and avoid the deletion of the account and thus the deactivation of all services associated with it.
It then invites the user to log in to renew the password, through the following link:
  
conferma password (password confirmation)

Clearly, the well-known web hosting, e-mail and domain registration services company, Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address, which would appear to come from a PEC <Pec WebMail: communications(at)staff(dot)aruba(dot)it>, does not come from Aruba's official domain.

Anyone who unluckily clicks on the link conferma password (password confirmation) will be diverted to an anomalous WEB page, which as you can see from the side image, is graphically well laid out.
We notice, however, that  you are redirected to a page hosted on an anomalous address/domain, which has nothing to do with Aruba and which we show below:

https[:]//srv191119[.]hoster-test[.]ru/wbesteraruba/der/index...

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

May 18, 2023 ==> Phishing Online Banking

SUBJECT: <You've just received a transfer>

This month we examine the following phishing attempt that notifies of a money transfer to the victim.

The message informs the recipient that he has received a cash transfer of $28,790. It then invites him to log in by clicking the following link:

LOG IN

Examining the text of the message, we notice right away that the sender's e-mail address <ucqqvtz(at)shooper(dot)co> is not reliable.

Anyone who unluckily clicks on the link LOG IN will be redirected to an anomalous WEB page, which as you can see from the side image, is graphically well laid out and detailed. In fact you can see the sender "Bank of America N.A." the final account number and a receipt for the payment.

We notice, however, that you are redirected to a page hosted on an anomalous address/domain, which we report below:

https[:]//online-com[.]github[.]io/eu/notifications[.]html

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks, with all the associated easily imaginable risks .

15 Maggio 2023 ==> Phishing Facebook Policy

SUBJECT: <Action Required: Verify Your Business Ownership on Facebook>

This month we examine a new phishing attempt that comes from a fake communication, apparently coming from Meta.

The message, in English, informs the recipient that there has been a recent change in Policy requiring the "validation of business account ownership associated with our platform (Facebook). This step has been implemented to ensure adherence to our standards and safeguard  the integrity of our services. As a valued member of our network, we kindly urge you to verify your business ownership via the designated button in our Business Help Center." By proceeding to validate the account within 17/05/2023, the account holder will be able to continue to operate without any interruption or limitation to the use of his corporate account. It then invites the user to proceed with validation through the following link:

REQUEST A REVIEW

Clearly, the well-known U.S. company Meta is a unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address<emailtosalesforce(at)u-28u1uxwh7xnxdcnx869ckj01c6zqmu74nqbky1k3o7auhd5qv7(dot)8d-avyobead(dot)um8(dot)le(dot)salesforce(dot)com> does not come from the official Meta's domain and is highly anomalous.

Anyone who unluckily clicks on the link REQUEST A REVIEW will be diverted to an anomalous WEB page, which has nothing to do with the official site, but has already been reported as a  DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

May 09, 2023 ==> Phishing Aruba - Renewal confirmation

SUBJECT: <PROMEMORIA: Dominio **** con account di posta in scadenza> (REMINDER: **** domain with expiring mail account)

Here we find another phishing attempt that comes again from a false communication by Aruba.

The message informs the recipient that his domain, hosted on Aruba, linked to his e-mail account, has expired on 09/05/2023 and that the automatic renewal service has been deactivated. It then warns him that he will have to renew his services manually to avoid the cancellation of his account, and thus the deactivation of all the services associated with it, including the mailboxes. Therefore he will no longer be able to receive and send messages. It then invites the user to log in to renew services, through the following link:

Effettua il tuo pagamento  (Make your payment)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.


Examining the text of the message, we notice right away that the sender's e-mail address<gianluca(dot)gabba(at)ggs-rappresentanze(dot)it> does not come from the official domain of Aruba.

Anyone who unluckily clicks on the link Effettua il tuo pagamento  (Make your payment) will be redirected to an anomalous WEB page, which has nothing to do with the official Aruba's website, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

08 - 22 Maggio 2023 ==> Phishing TISCALI

Below we report 2 phishing attempts that appear to come from a false communication from TISCALI.


In the 2 examples above, which are very similar, the message informs the recipient that his domain hosted on TISCALI linked to his e-mail account, has expired. It then warns him that he can neither receive nor send messages until he reactivates his email.  It then invites the user to reactivate his mailbox, in the specified time, otherwise all messages will be deleted.
The goal, in both cases, is to get the user to click on the link indicated in the email:

RIATTIVARE ORA (REACTIVATE NOW)

This time the phishing campaigns simulate a communication that appears to come FROM TISCALI, which is clearly unrelated to the mass sending of these emails, that are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining both emails, the Company Logo was included to further mislead the user, but we note that the sender's email address isn't referable to the official TISCALI's domain: <milantns(at)sbb(dot)rs>. Let's always use caution before clicking on suspicious links.

Very often these messages are poorly written emails that contain spelling errors or renewal requests for services that are not expiring, or for security updates, as they leverage urgency to get the user to click.

Anyone who unluckily clicks on the link RIATTIVA ORA  (REACTIVATE NOW) will be redirected to an anomalous WEB page, which as you can see from the side image, is graphically well set up and could fool an inexperienced user.

We notice, however, that the page you are redirected to, for the entry of your mail account credentials, is hosted on an anomalous address/domain, which we report below:

https[:]//webmail-mail-tiscali-it[.]weebly[.]com/#email****

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

May 06, 2023 ==> Phishing Istituto Bancario (Bank)

SUBJECT: <Nuovo aggiornamento - Attiva il nuovo sistema di sicurezza> (New update - Activate the new security system)

We find again this month the phishing campaign, spread through an e-mail exploiting graphics stolen from, or similar to those of a well-known national banking institution. This way it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to carry out what was requested, and fall into this trap based on social engineering techniques.

04 - 06 Maggio 2023 ==> Phishing Mooney

Below we report 2 phishing attempts that appear to come from a false communication from Mooney, the Italian Proximity Banking & Payments company.

In the 2 examples above, which are very similar, the message informs the recipient that his account is temporarily suspended due to a failed update or, as in the second case, that he needs to confirm his account information.
The goal, in both cases, is to get the user to click on the link given in the email, to resolve the customer profile update problem:

Aggiornare o clicca qui  (Update or click here)

This time, phishing campaigns simulate a communication that appears to come from the Italian online payment company Mooney, which is clearly unrelated to the mass sending of these emails. These, in fact, are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining both emails ,to further mislead the user, the Company Logo was included, but we note that the sender's email address does not appear to be traceable to the official domain of Mooney: 1° example <jollymanifatture(at)care(dot)sprinklr(dot)com>; 2° example <kiwisat-alert(at)kiwitron(dot)com>. Let's always be very careful before clicking on suspicious links.

Very often these messages are poorly written emails that contain spelling errors or renewal requests for services that are not expiring, or for security updates, as they leverage urgency to get the user to click.


Anyone who unluckily clicks on the link  Aggiornare o clicca qui  (Update or click here) will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the official website of Mooney.
The page to which you are redirected, to enter your credentials, is hosted on an anomalous address/domain, which we report below:

1° esempio: https[:]//ipfs[.]io/ipfs/bafkreihalpd23vzerlcqewfszygvrjabi5wp....
2° esempio: https[:]//amsltd.[.]us/wp-admin/user/IT-M/MoneyIT/

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

May 04, 2023 ==> Phishing Account Posta Elettronica (E-mail Account)

SUBJECT: <(3) messages are pending to deliver in your mailbox>

Let's examine below another phishing attempt aimed to steal the credentials of the victim's e-mail account.

The message, in English, informs the recipient that incoming messages have been blocked due to the indicated "storage error." It then invites him to click on the link indicated in the email to retrieve the blocked messages, via the following link:

Receive Messages

Analyzing the email, we notice that the message comes from an email address that does not seem traceable to the server that hosts the mailbox <support(at)mainmailservers(dot)mom>. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link Receive Messages will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected, for the entry of your mail account credentials, is hosted on an anomalous address/domain, which we report below:

https[:]//ipfs[.]io/ipfs/bafkreihalpd23vzerlcqewfszygvrjabi5wp....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

May 01, 2023==> Phishing Tinder

SUBJECT: <It's a Match!>
This month we find a new phishing attempt that seems to come from a false communication from Tinder, one of the most popular dating sites in the world.

The message informs the recipient that a profile has been found that "matches" his or her. Then invites him or her to log into his or her Tinder account, to find out the person who is waiting for him/her...By clicking through the following link, you will be able to log in to your account:

FIND OUT WHO

Clearly, the well-known dating app Tinder, is unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the sender's e-mail address<furioso(at)rscp19103(dot)myhostingpack(dot)com> does not come from the official domain of Tinder. We see, however, that the cybercriminal had the foresight to include the well-known Tinder logo; in fact, the email is graphically deceptive.

Anyone who unluckily clicks on the link  FIND OUT WHO will be redirected to an anomalous WEB page, which has nothing to do with the official Tinder's website, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.

01 - 15 - 24 May 2023 ==> Phishing Aruba - Dominio scaduto (Expired domain)

Below are the phishing attempts we find this month, which appear to come from a false communication from Aruba.


In the examples above, which are very similar, the customer is notified that his domain hosted on Aruba is about to expire and then invites him to renew before the expiration date. It informs him that, if the domain is not renewed, all services associated with it will be deactivated, including e-mail boxes, so he will no longer be able to receive and send messages. It then invites the user to re-new the domain by completing the order through the links listed in the email.

The aim is clearly to get the user to click on the link in the email:

RINNOVA IL DOMINIO (RENEW THE DOMAIN)


Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

To detect these phishing attempts, it is first necessary to examine the sender's e-mail address, which as we can see in the 3 cases shown  (<noreply(at)rusflagcity(dot)ru>; <informer(at)znatoki34(dot)ru>; <support(at)sicurezza8108(dot)com> ) do not come from Aruba's official domain.

Very often these messages are poorly written emails that contain spelling errors or renewal requests for not expiring services, since they use urgency or data security to obtain user's information.

It's also important to examine the links or attachments that these messages contain, which usually redirect to a counterfeit website asking to enter  your personal information (such as account username and password, or credit card number to make account renewals). If these data are entered, will be used by cyber criminals for criminal purposes.

A little bit of attention and glance, can save a lot of hassle and headaches....

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on Phishing techniques for more details:

05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April2023...
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in  March 2023..
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in  February 2023...
02/01/2023 15:28 - Phishing: the most common credential and/or data theft attempts in  January 2023...
02/12/2022 15:04 - Phishing: the most common credential and/or data theft attempts in  December 2022...
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022...
05/10/2022 11:55 - Phishing: the most common credential and/or data theft attempts in October 2022...
06/09/2022 15:58 - Phishing: the most common credential and/or data theft attempts in September2022...
04/08/2022 16:39 - Phishing: the most common credential and/or data theft attempts in August2022...
06/07/2022 12:39 - Phishing: the most common credential and/or data theft attempts in July2022...
06/06/2022 14:30 - Phishing: the most common credential and/or data theft attempts in  June 2022...
02/05/2022 11:06 - Phishing: the most common credential and/or data theft attempts in  May2022...

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
.

Vir.IT eXplorer Lite has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
• fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan
• It dentifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
• Proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android DevicesTM

VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings

You can upgrade to the PRO version by purchasing it directly from our website=> click here to order

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.

How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. Save  the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.


TG Soft's C.R.A.M. (Anti-Malware Research Center)