PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in August 2023:

29/08/2023 =>SexTortion
29/08/2023 => Banca Popolare di Sondrio
26/08/2023 => BRT
23/08/2023 => Account di Posta (Email Account)
09/08/2023 => Aruba - Dominio in scadenza (Expiring domain)
08/08/2023 => Account di Posta - request for reset
07/08/2023 => Banca Popolare di Sondrio
07/08/2023 => Account di Posta - Storage Full
07/08/2023 => Mooney
05/08/2023 => Poste Italiane
04/08/2023 => Aruba - Dominio in scadenza (Expiring domain)
02/08/2023 => Scotiabank
01/08/2023 => Smishing Peroni



These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

August 29, 2023 ==>SexTortion

The SexTortion-themed SCAM campaign persists. The e-mail would seem to suggest that the scammer gained access to the victim's device, which he used to collect data and personal videos. Then he blackmailed the user by demanding the payment of a sum of money, in the form of Bitcoin, not to divulge among his email and social contacts, a private video of him viewing adult sites..

The following, is an extract from the text of the email on the side:

" I am a hacker, and Ihave succesfully gained access to your operating system. I have also full access to your account. When I hacked into your account, your password was: ****. I have been watching you for a few months now. The fact is that your computer has been infected with maleare through an adult site that you visited. If you ar enot familir with this, I will explain. Trojan Virus gives me full access and control over a computer or a device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence. Why did your antivirus not detect malware? Answer: the malware I used is driver -based, I update its signatures  every 4 hours. Hence your antivirus is unable to detect its presence.I made a video showing how you satisfy yourself in the left half of the screen, and the right half shows the video you were watching at the time. With one mouse click I can send this video to all your emails contacts on your social networks. I can also make public all your email correspondence and chat history on the messengers that you use"



At this point you are asked to send 950 USD in Bitcoin to the wallet listed below: "12XXXXXXXXXXXXXXXXXXXXXXXsa6'. After receiving the transaction all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives. The victim has 50 hours to make the payment!

Examining the payments made on the wallets that were examined this month, as of 06/09/2023, results in 1 transaction of 1233,87 USD.

In such cases we always urge you:

1. not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service.

August 26, 2023 ==> Phishing BRT

«SUBJECT: < Problemi relativi alla spedizione BRT Corriere espresso.> (Problems related to BRT Express Courier shipping)

Below is a new phishing attempt, concerning the delivery of an alleged package, hiding behind a false communication from the BRT service.

The message notifies the unsuspecting recipient, that his shipment is on hold, because customs duties have not been paid. Therefore, to avoid further delays, he must perform the verification procedure promptly, to prevent the delivery from being cancelled. The email is graphically well laid out. In fact, to make the message seem more trustworthy, the BRT logo was introduced. These messages are increasingly being used to scam consumers who, more and more, use e-commerce for their purchases.
The message then prompts the user to pay the customs clearance fees, otherwise the item will be returned to the sender. To schedule the delivery, he must click on the following link:

clicca qua (click here)

August 23, 2023 ==> Phishing Account Posta Elettronica (Email Account)

SUBJECT: <Richiesta di preventivo per progetto e prodotto> (Request for quotation for project and product)

We analyze below a new phishing attempt, that aims to steal the email account login credentials.

The message comes from a certain Leonardo, a purchasing and supply manager for a company, interested in purchasing a product with a data sheet attached. The request is of an urgent nature, and it is pointed out that the files are protected and ''proper access is required to gain access.''

This is an unusual attempt at credential theft, compared to the typical cases and, in some respects, well done.
In fact, the email seems to come from a reliable address, traceable to the sender company. Moreover, in the signature, along with the logo, identifying data (address, phone no. and website) are given, that seem reliable and traceable to the company ''victim'', used to convey the scam.
The text does not have any particular grammatical or syntax errors, but the request is very strange and unusual, because it requires logging in to download a file for a simple request for a quote.

Considering all this, we warn you that the WEB page has already been reported as a DECEPTIVE page/SITE, as it is run by cyber criminals, whose goal is to get hold of your most valuable data, to use them for criminal purposes.

August 08, 2023 ==> Phishing Account Posta Elettronica (Email Account)

SUBJECT:  <Request for reset>

We analyze below another phishing attempt, that aims to steal the victim's e-mail account credentials.

The message, in English, warns the recipient that his mailbox password expires today. It then informs the victim, that he can change his password or continue using his current one.
The related account is then shown, and the user is invited to change the password by clicking on the following link:

Keep the same password

Examining the email, we notice that the message comes from an email address not traceable to the server hosting the mailbox <info(at)bronus(dot)uz>. This is definitely anomalous and should, at the very least, make us suspicious.

August 07 - 29, 2023==> Phishing Banca Popolare di Sondrio

«SUBJECT: <Imр о rtа ntе : Α ttivа lа nuо vа а р р SϹ RIGNО Idе ntiТ е l > (Important: Activate the new SϹRIGNОIdеntiТel app)

We find again this month the following phishing attempts, both of which come as a fake e-mail from Banca Popolare di Sondrio aimed to steal the victim's home banking login credentials.

EXAMPLE 1

EXAMPLE 2

 

In both examples the message, which appears to come from Banca Popolare di Sondrio, reports the opportunity of activating the new SCRIGNOIdentiTel, that provides easier and more secure access to banking services. The activation must be completed within 7 days, to ensure access to the full services offered by the banking institution.
Clearly, for people who are not Banca Popolare di Sondrio's customers, it is more intuitive to understand that this is a real scam. However, even for the customers of the institution, it is not difficult to realize the computer fraud.
Let's see what are the alarm bells we should pay attention to.
First, both messages come from an email address that cannot be related to the Banca Popolare di Sondrio's domain.
This is definitely abnormal and should already make us suspicious.
To make it more reliable, in the second example we can see in the signature that identifying references of Banca Popolare di Sondrio are given, which would seem to be trustworthy as well.
It remains highly unusual the request to enter credentials to home banking via e-mail.

Anyone who unluckily clicks on the link Attiva ora (Activate now), will be redirected to an anomalous WEB page, which has nothing to do with the official website of Banca Popolare di Sondrio.

From the image on the side we can see that the web page is graphically well done and is a good simulation of the official website of the new Banca Popolare di Sondrio Scrigno portal.
To make the whole thing more reliable and induce the victim to access the portal, the cyber-criminals also had the foresight to report, at the bottom, some authentic data of Banca Popolare di Sondrio, such as address and C.F./VAT number.
As we scroll down the page, we also notice that reassuring guidance is provided on how to request assistance and block the utility or a card ...all with the aim of further reassuring the user about the truthfulness of the portal, although many links do not lead to any of the pages we might expect.

Given these considerations, we urge you to pay close attention to any misleading details and to remember, as an important rule, to examine the url address of the authentication form, before proceeding to enter sensitive data, (such as home banking credentials i.e. User Code and PIN).

The landing page url address in this case is :

https[:]//formatic[-]arles[.]fr/wp1/online/login[.]php

which has nothing to do with the official site of Banca Popolare di Sondrio.

This DECEPTIVE page/WEBSITE is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

August 07, 2023 ==> Phishing Account Posta Elettronica

(Email Account)

SUBJECT: <Storage Quota is full>

We analyze below the phishing attempt that aims to steal the victim's e-mail account.credentials

The message, in English, informs the recipient that his mailbox storage space is full, and that he may not be able to receive and send e-mail.  It then invites him to clean his mailbox to recover storage space or to purchase new additional space, through the following link:

Get Storage

Examining the email, we notice that the message comes from an email address not  traceable to the server hosting the mailbox <info(at)meccalte-russia(dot)ru>. This is definitely anomalous and should, at the very least, make us suspicious.


Anyone who unluckily clicks on the link Get Storage, will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page you are redirected to, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:

https[:]//ipfs[.]io/ipfs/bafybeieqlwtfgsuoadajqrl3f2cxebzs24hh3r5....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .

August 07, 2023 ==> Phishing Mooney

«SUBJECT: < Posta importante > (Important mail)

This month again we find the following phishing attempt, coming as a false communication from Mooney, the Italian Proximity Banking & Payments company.

The message informs the recipient that his account is temporarily locked, because he has not yet updated his account information.
It then invites him to update and activate 3DS dual authentication, via the following link:

Abilita l'autenticazionea a due fattori (Enable two-factor authentication)

This time the phishing campaign simulates a communication  from the Italian online payment company Mooney, which is clearly unrelated to the mass sending of these emails. These are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Examining the text of the message, we notice right away that the alert message comes from an e-mail address not traceable to Mooney's domain <True7-11_SriThat(at)truecorp(dot)co(dot)th>, although the cybercriminal had the foresight to include the company's well-known logo. We should always be careful before clicking on suspicious links.

Anyone who unluckily clicks on the link  Abilita l'autenticazionea a due fattori (Enable two-factor authentication), will be redirected to an anomalous WEB page, which has nothing to do with the official Mooney's website,  but has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.

August 05, 2023 ==> Phishing Poste Italiane (Italian postal service)

SUBJECT:< Avviso > (Notice)

Let's analyze the following phishing campaign, which comes via an e-mail that, exploiting graphics stolen from, or similar to those of PosteItaliane  (Italian postal service), tries to pass itself off as an official communication, to induce the unsuspecting recipient to insert his data, falling into this trap based on social engineering techniques.

The message warns the recipient that his account has been temporarily suspended. To reactivate it, the victim must update his information in order to come back to normal operation. The update process takes only a few minutes, to get started just click on the following link:

https[:]//securelogin[.]poste[.]it

Examining the email, we notice right away that the alert message comes from an email address not  traceable to the domain of PosteItaliane  <service(at)kingbrothers(dot)jp>.
This is definitely anomalous and should make us suspicious, even though the cybercriminal had the graphic foresight to include the well-known PosteItaliane logo, that could mislead an inexperienced user.

The purpose is to get the recipient to click on the link https[:]//securelogin[.]poste[.]it
which, we would like to point out, redirects to a page that has nothing to do with the official PosteItaliane's website but which has already been reported as a DECEPTIVE  WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

August 04 - 09, 2023 ==> Phishing Aruba - Dominio in scadenza (Expiring domain)

Below we find the following phishing attempts, which come as a false communication from Aruba.


In the examples above, which are very similar, the customer is notified that his domain, hosted on Aruba, is about to expire and therefore it is necessary a renewal to avoid the deactivation of all services, including the mailboxes, and the stop to the use of messages. He is thus invited to renew the domain by completing the order through the links provided in the email.

The purpose is obviously to get the user to click on the link in the email:

RINNOVA IL DOMINIO o RINNOVA ORA CON UN CLICK (RENEW THE DOMAIN) or (RENEW NOW WITH A CLICK)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

To detect these phishing attempts, it is first of all necessary to analyze the sender's e-mail address which, as we can see in the 2 cases shown (<infos(at)beautiful-aura(dot)de>; Communications_Aruba  -in this case the address is hidden -) definitely do not come from Aruba's official domain.

Most often these messages are poorly written emails, that contain spelling errors or renewal requests for not expiring services, as they leverage the urgency or security of our data, to get the user enter his information.

It's also important to examine the links or attachments that these messages contain. They usually redirect to a counterfeit website, where you are asked to enter your personal information, such as your account username and password or your credit card, to make account renewals. If these data are entered, they will be used by cyber criminals for illegal purposes.

August 02, 2023 ==> Phishing Scotiabank

«SUBJECT:: <Bill payment made to by your account >

We analyze below a new phishing attempt that comes via a fake e-mail from Scotiabank, the Bank of Nova Scotia, a Canadian multinational corporation, with the goal to steal the victim's home banking login credentials.

The message informs the recipient that he received a payment for an invoice for the accommodation of one of his clients. It then invites him to view the receipt and confirm the payment, via the following link:

View Remittace Slip

Examining the email, we notice right away that the alert message comes from an email address not  traceable to the Scotiabank's domain <info(at)bonum-trailer(dot)ru> . This is definitely abnormal and should make us suspicious. Moreover the payment refers to an overnight stay by a client, which is somewhat bizarre if the recipient is not used to entertain this type of relationship with his clients.

However the cybercriminal had the graphic foresight to insert the banking institution's logo and identification/fiscal data at the bottom of the message, to make it more truthful and mislead an inexperienced user.

The purpose is to induce the receiver to click on the link View Remittace Slip,  which, we would like to point out, links to a page that has nothing to do with Scotiabank's official website but has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

August 01, 2023 ==> Smishing: PERONI

Below we analyze the following text message scam attempt behind a fake communication, exploiting the well-known brand name Birra Peroni.

If you have received the link reported on the side, be careful as it is a scam attempt aimed to steal your personal information.
Below is the link we are going to examine:

https[:]//birraperoni[.]it[@]tinyme[.]ru/QiUNDWjt/?mini-frigoriferi-gratuiti[.]html


Below are the 4 questions in the questionnaire, which are very general. To make the thing more reliable, at the bottom are reviews of other customers who would seem to have received the fantastic prize!

"The prize arrived at my house on time and in excellent condition"
"I thought it was a scam, but it arrived this morning!" and others...

Question 1 of 4

Question 2 of 4

Question 3 of 4

Question 4 of 4

tinyme[.]ru
 
The goal of this message is to induce the user to enter his personal information and, to make it more truthful, positive comments from other users, who apparently received their prize, are also reported...

To conclude, we always urge you to be wary of any email asking for confidential data, and to avoid clicking on suspicious links, that could lead to a counterfeit site, difficult to distinguish from the original one, because you put your most valuable data in the hands of cyber crooks for their use.

A little bit of attention and glance, can save a lot of hassles and headaches....

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on phishing techniques for more details:

03/07/2023 10:23 - Phishing: the most common credential and/or data theft attempts in July 2023..
07/06/2023 15:57 - Phishing: the most common credential and/or data theft attempts in  June 2023....
03/05/2023 17:59 - Phishing: the most common credential and/or data theft attempts in  May2023....
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April2023.....
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in  March 2023.
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in  February 2023....
02/01/2023 15:28 - Phishing: the most common credential and/or data theft attempts in  January 2023....
02/12/2022 15:04 - Phishing: the most common credential and/or data theft attempts in  December 2022.....
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022....
05/10/2022 11:55 -Phishing: the most common credential and/or data theft attempts in October 2022......
06/09/2022 15:58 - Phishing: the most common credential and/or data theft attempts in September 2022.
04/08/2022 16:39 -  Phishing: the most common credential and/or data theft attempts in August 2022....

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
• fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
• it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
• proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android^TM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can downoad the Lite version, which can be freely used in both private and business settings.

You can upgrade to the PRO version by purchasing it directly from our website=> click here to order

 

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities, to our Research Center that allowed us to make this information as complete as possible.

How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.


TG Soft's C.R.A.M. (Anti-Malware Research Center)