PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in
November 2023:
29/11/2023 =>
DHL
29/11/2023 =>
Smishing - il tuo pacco è stato consegnato (Your package has been delivered)
23/11/2023 =>
PEC Polizia Provinciale (Provincial Police Certified Email)
17/11/2023 =>
Subito
17/11/2023 =>
Agenzia delle Entrate (Revenue Agency)
16/11/2023 =>
Aruba - Disattivazione casella (Mailbox deactivation)
15/11/2023 =>
Mooney
14/11/2023 =>
Account di Posta elettronica (Email Account)
13/11/2023 =>
Zimbra
13/11/2023 =>
Istituto Bancario (
Bank)
13/11/2023 =>
Agenzia delle Entrate (Revenue Agency)
09/11/2023 =>
Aruba
07/11/2023 =>
SexTortion
06/11/2023 =>
Smishing Nexi
02/11/2023 =>
Aruba
01/11/2023 =>
Istituto Bancario (Bank)
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.
November 29, 2023 ==> Phishing DHL
«SUBJECT:< DHL: Tax Payment Needed for Package Release Ref#1588968>
The following is a new phishing attempt, which is presented as a false notification of a package delivery by
DHL.
The
message, in English, notifies the unsuspecting recipient that his shipment is on hold because customs duties have not been paid. We notice, however, that no reference of the order or shipment was reported, the only reference traceable to a courier (in this case the well-known name of DHL was exploited, which has nothing to do with these false communications) is given in the subject line of the email.
The user is then asked to pay the $3.57 customs clearance fee in order to receive his shipment. To pay, you just need to follow the procedure indicated by the provided link:
The alert email comes from an email address that is not traceable to DHL's domain <smtpfox-5lxrw(at)xuuch(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link ,will be redirected to an anomalous WEB page that has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.
November 29, 2023 ==> Smishing ''Il tuo pacco è stato consegnato'' (Your package has been delivered)
We analyze below a new theft attempt at sensitive data, that comes through a deceptive text message.
The message, which we show on the side, refers specifically to the delivery notification of a shipment. It informs the recipient that the order was delivered on 28-11-2023 to the delivery point, and gives pickup info at the link provided.
The message seems to come from the
GLS courier company, however no identifying information about the shipment - such as the order number or tracking reference - is given.
The purpose is clearly to get the user to click on the link::
fjm***.com/Z****c
which redirects to a web page that has, as always, the goal of inducing the user to enter sensitive data.
Let’s analyze it in detail below.
If we click on the link in the text message, we are redirected to a web page intended to simulate the official GLS site. Although the site is graphically well done, the url address on the broswer bar <<stellait[.]life>> is anomalous and not traceable to any transportation company
A first screen shows a precise reference tracking code (GLS910029334). Then, when we click on ''Monitor your order'', a new screen informs us that the delivery is pending at the distribution center, due to a missing payment of of Euro 2.00, related to shipping costs..
Continuing on, clicking on ''Programma la consegna adesso'' (Schedule delivery now), a new screen invites us to choose the mode for a new delivery and, next, when we prefer the delivery to take place..
Here we finally conclude the shipment rescheduling procedure, which should finish with the data confirmation. However, for the delivery to take place, the payment of the shipping charges is required...
Here is the surprise.
After clicking on ''
Inserisci le informazioni per la consegna'' (Enter delivery information), we are in fact redirected to a data entry FORM that requires - in addition to ''First Name'', ''Last Name'' ''Address'' ''Phone Number'' ''E-Mail'' - our own credit card information. This is necessary to pay the modest amount of € 2.00 related to the shipping costs of the package.
We see that the form page has an url different from the previous one
<<fireoffer4u[.]net>>, but still it is completely untrustworthy, and is not referable to any transportation company site.
The purpose of this whole procedure is to prompt the user to enter his/her personal data.
On the side we show in detail the screenshot of the completion form.
To conclude, we always urge you to be wary of any email asking for confidential data and to avoid clicking on suspicious links, which may lead to a counterfeit site, difficult to distinguish from the original one. In fact you could put your most valuable data in the hands of cyber crooks.
November 23, 2023 ==> Phishing via PEC Polizia Provinciale (Phishing via
Provincial Police Certified Email )
SUBJECT: <
Rapporto sinistro n 417/2023 del 19/08/2023>
(Accident report n 417/2023 dated 19/08/2023)
Beware of the following phishing attempt - a fake communication from the Polizia Provinciale di Pescara, (Pescara Provincial Police) - reported also on the Police official website.
The message, with number and date, notifies the recipient of an accident report, supposedly involving him or her and seemingly signed by the"Uff. Infortunistica" (Accident Office) of the Pescara Police Department. It then invites the victim to view the report, by opening the attachment:
"VERBALE SINISTRO.pdf" (ACCIDENT REPORT.pdf)
Analyzing the text, it seemingly comes from the very PEC (Certified Email) address of the Province of Pescara <
******(at)pec(dot)provincia(dot)pescara(dot)it>. Clearly the public authority is unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Anyone who unluckily clicks on the attachment, will be redirected to the displayed page.
First of all, the landing page does not refer to the accident report mentioned, but hosts the login form to log in to
Aruba's RESTRICTED AREA, where you are directly asked to enter your credentials....
Moreover the url address shown on the broswer bar is not from from
Aruba's official domain:
https[:]//webarubaloginemailitalia[.]com/i/account.....
We therefore urge you not to click too quickly on links when you receive this kind of message, and to pay attention to every detail, even trivial ones.
If you enter the requested data, in this case e-mail account data, the information will be delivered to the cyber criminals responsible for the scam, who will use it for criminal purposes.
November 17, 2023 ==> Phishing Subito
«SUBJECT: <
hai messaggi non ricevuti sul sito subito >
(you have unreceived messages on the "subito" website)
Here is a new phishing attempt, coming as a fake communication from
Subito.it.
The message informs the recipient about unreceived messages, related to his or her ads on
Subito.it., due to account blocked by spam.
It then warns him/her that, in order to unblock his mailbox, he/she needs to contact the technical support, through the following link:
Cliccando qui (Clicking here)
Clearly, the well-known free ads company
Subito.it., is unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Analyzing the text of the message, we notice right away that the sender's e-mail address <
emailserviz(at)subito(dot)it> might mislead an inexperienced user, but it is not from the official domain of
Subito.it..
Anyone who unluckily clicks on the
Cliccando qui (Clicking here) link, will be redirected to an anomalous WEB page which, as we can see from the side image, does not contain any reference to
Subito.it. Moreover we see that it is hosted on an anomalous address/domain, reported below:
https[:]//tawk[.]to/chat/64baa650cc26a871.....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server, and used by cyber crooks with all the associated, easily imaginable, risks.
November 16, 2023 ==> Phishing Aruba - Disattivazione casella e-mail (Mailbox deactivation)
SUBJECT: <
Disattivazione casella e-mail per scadenza dominio xxx@xxx>
(Mailbox deactivation due to xxx@xxx domain expiration )
During November, phishing attempts pretending to be communications from the
Aruba brand, continued.
The message informs the recipient that his/her domain hosted on Aruba, and linked to his/her e-mail account, will expire on 16/11/2023. It then notifies him/her to renew his/her services manually, in order to avoid the deletion of the account, and the deactivation of all services associated with it, including mailboxes (
so he/she can continue receiving and sending messages).
It then invites the user to log in, via the following link, to renew services,:
RINNOVA IL DOMINIO (RENEW THE DOMAIN)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
If we analyze the text of the message, we notice right away that the sender's e-mail address <
postmaster(at)onedk(dot)net> , is not from
Aruba's official domain.
In order to induce the victim to proceed with the renewal of his mailbox in a timely manner, the expiration date of 16/11/2023 is indicated, which incidentally corresponds to the reception date of the email... therefore there is not much time left to carry out the renewal and prevent the deactivation of services. The technique of indicating a deadline within which the procedure must be concluded, is intended to urge the user to act immediately and without much thought.
Anyone who unluckily clicks on the link, will be redirected to the displayed page.
As we can see, first of all the landing page - unlike what we should expect - does not refer to
Aruba's LOGIN RESERVED AREA, but hosts an online payment form, seemingly relying on
BancaSella's circuit. Here we are directly asked to enter our credit card details to pay the modest amount of Euro 5.42.....
Although the hurry and the fear of mailbox suspension may push the user to quickly conclude the operation, if we look at the url address on the browser bar, we realize that the payment form is not on the official domain of
Aruba or even
BancaSella:
https[:]//arubahost[.]assistenzastaff[.]net/xL6432....
We therefore urge you not to hurry when you find this kind of email, and pay attention to every detail, even trivial ones.
By proceeding to enter the requested data - in this case credit card information - this information will be delivered to the cyber criminals behind the scam, who will use it for illegal purposes.
November 15, 2023 ==> Phishing Mooney
SUBJECT: <
Le nostre condizioni di utilizzo sono cambiate. È necessario un aggiornamento immediato! >
(Our terms of use have changed. An immediate update is needed!)
Below we analyze the following phishing attempt, coming as a false communication from
Mooney, the Italian Proximity Banking & Payments company.
The message informs the recipient that he/she needs to update his or her personal data "in accordance with the Second Payment Services Directive (PSD2). From now on, strong authentication is required for all our customers every 90 calendar days."
It then invites him/her to update his/her profile, through the following link:
Autenticazione (Authentication)
This time the phishing campaign simulates a communication from the Italian online payment company
Mooney, which is clearly unrelated to the mass sending of these emails, that are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Analyzing the text of the message, we notice right away an e-mail address that could mislead an inexperienced user, but that does not come from
Mooney's official domain since a label <
customer service(at)mooney(dot)it> was probably used. Although the cybercriminal had the foresight to include the well-known company logo, we should always pay close attention before clicking on suspicious links.
Anyone who unluckily clicks on the
Autenticazione (Authentication) link, will be redirected to an anomalous WEB page, not referable to
Mooney's official website, but that has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.
November 14, 2023 ==> Phishing Account Posta Elettronica (Email Account)
SUBJECT:<
Your account ***** password expire today>
We analyze below the phishing attempt that aims to steal the victim's e-mail account credentials.
The message, in English, informs the recipient that his/her mailbox password is expiring, and if he/she doesn't change the password within 3 hours after opening this email, it will be changed automatically. It then invites the victim to keep his/her password, using the following link:
Keep Current Password
If we analyze the email, we notice that the email address of the message <hosting(at)oxbridgefinance(dot)com(dot)au> is not traceable to the mailbox server. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the
Keep Current Password
link, will be redirected to an anomalous WEB page which, as you can see from the image on the side, is not referable to the e-mail account provider.
The page you are redirected to, asking for your mail account credentials, is hosted on an anomalous address/domain, reported below:
https[:]//fleek[.]ipfs[.]io/ipfs/QmNvxkzXwBmc6d4LG3a9M39s9.....
We always urge you to be careful, and avoid entering your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
November 13, 2023 ==> Phishing Zimbra
SUBJECT: <
Centro Assistenza>
(Service Center)
This month we find a new phishing attempt pretending to be a communication from the
Zimbra brand.
The message informs the recipient that, due to an update on Zimbra's servers, he/she needs to update his/her account to avoid its suspension. This is done to increase the security level of services.
It then invites the user to log in to update his or her account, via the following link:
Clicca qui (Click here)
Clearly, the well-known Zimbra application software company, is unrelated to the mass sending of these emails, which are true scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Analyzing the text of the message, we notice right away that the sender's e-mail address <vacina(at)tapes(dot)rs(do)gov(dot)br> is not from the official domain of Zimbra.
Anyone who unluckily clicks on the link will be redirected to the displayed page.
As we can see, first of all the landing page where we are redirected is graphically well laid out, and may lead the victim to think that he or she is on the Zimbra page.
The account management login page, however, is hosted on an anomalous address/domain that cannot be related to Zimbra's official domain, and which we report below:
https[:]//firebasestorage[.]googleapis[.]com/v0/b/uueiimiwoowoui903[.]appspot[.]com.....
We therefore urge you, in case of email, not to act hastily and to pay attention to every detail, even trivial ones.
If you enter the requested data - in this case e-mail account information - they will be delivered to the cyber criminals creating the scam, who will use them for criminal purposes.
November 13, 2023 ==> Phishing Istituto Bancario (Bank)
SUBJECT: <Trasferimento di credito > (Credit transfer)
The following is another phishing campaign, that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well-known national banking institution. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his data, and fall into a social engineering trap.
The message alerts the unsuspecting recipient that a customer has asked the bank to make a deposit on his behalf. The invoice and a copy of the related payment are attached to the email. Indeed, we notice the presence of the attachment
copia_del_pagamento.shtml. (copy_of_the_payment.shtml).
We can see right away, that the alert message comes from a very suspicious email address <
nannisport(at)live(dot)it>. This is anomalous for such official communications.
The purpose is to get the victim to open the attachment to check it, but it is definitely peculiar that the file is .shtlm (in fact a web page), and not a classic .pdf file, as expected.
In fact, anyone who unluckily opens the attachment, will be redirected to an anomalous WEB page, completely different from the official website of the well-known Banking Institution.
Looking at the side image, we can also realize that the page isn't a simulation of the bank's website, as expected, but an Aruba form asking for an email address and password... therefore, we are facing an attempt to steal our email credentials.
Given these considerations, we urge you to pay close attention to any misleading details and to verify the url address of the authentication form - as well as assessing the legitimacy of the request - before entering sensitive data.
The Banking Institution, of course, is clearly unrelated to the mass sending of these phishing campaigns. However, if in doubt, we also urge you to check the Bank's official website, which often warns of attempted scams exploiting its brand.
November 13 - 17, 2023 ==> Phishing Agenzia delle Entrate (Revenue Agency)
SUBJECT: <
Avviso Raccomandata #AR3099****>
(Registered Mail notice #AR3099****)
Below we analyze another phishing attempt, that shows up through a fake message from
Agenzia delle Entrate (Revenue Agency).
The message informs the recipient that a new notification addressed to him is available, with the following information:
• Ente Emittente: Agenzia delle Entrate (Issuing Body: Revenue Agency)
• Titolare: indirizzo email del ricevente (Holder: Receiver Email)
• Soggetto: Notifica Amministrativa (Subject: Administrative Notification)
• Protocollo n.: AR3099**** (Protocol No.: AR3099****)
Analyzing the alert, we can notice first of all its anomalous email address i.e. <agency[.]revenue(at)vvstjoost(dot)nl> which is not hosted on the official website domain of Agenzia delle Entrate (Revenue Agency).
The notice is also very generic; in fact, is directed to '''Gentile contribuente'' (Dear Taxpayer) without reporting his/her first and last name. Not even in the administrative notification we find references about the Holder, but only the email address of the recipient is given, which is certainly not identifying information for tax purposes.
Two links are then provided below, to access the notification:
"https[:]//www[.]agenziaentrateriscossione[.]gov[.]it/it"
"notifica"
They both redirect to the link:
https://navadvisoryllc[.]com...
That is definitely suspect.
Anyone who unluckily clicks on the links will be redirected to a counterfeit web page that has nothing to do with the official website of the Agenzia delle Entrate (Revenue Service).
The landing page has already been reported as a DECEPTIVE PAGE/WEBSITE, since it is run by cyber criminals, whose goal is to get hold of your most valuable data, in order to use them for criminal purposes.
November 09, 2023 ==> Phishing Aruba
SUBJECT: <
Dominio in scadenza, per rinnovare?> (
Expiring domain, to renew?)
Here we find again this month another phishing attempt coming as false communication from
Aruba.
The message alerts the receiver that his/her domain, hosted on
Aruba, is expiring on 09/11/2023. The victim is then requested to renew the domain to avoid the deletion of the account and the deactivation of all services associated with it, including the use of messages of the mailbox. The renewal procedure is simple and automatic, and can be done fully autonomously from the link given below:
RINNOVA (RENEW)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Analyzing the text of the message, we notice right away that the sender's e-mail address is not from the official domain of
Aruba, but a label is used to hide the sender.
Anyone who unluckily clicks on the link
RINNOVA (RENEW), will be redirected to an anomalous WEB page, not referable to Aruba's official website, but that has already been reported as a DECEPTIVE WEBSITE/PAGE because it is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use them for illegal purposes.
November 07, 2023 ==> SexTortion
This month we find the SexTortion-themed SCAM campaign again. The e-mail seems to suggest that the fraudster has accessed the victim's device and, as alleged proof of the breach, the cyber criminal points out that the e-mail comes from the victim's own e-mail address. In these cases the address is simulated with labels to pretend a breach in the victim's account. The criminal uses this deception to then blackmail him, requesting a sum of money in Bitcoin, not to divulge among his email and social contacts a private video of him looking at adult sites. The alleged password of the victim's account is also given as further evidence of the breach.
The following is an extract from the text of the email on the side:
"
Sadly, there are some bad news that you are about to hear. About few months ago I have gained a full access to all devices used by you for internet browsing. Shortly after, I started recording all internet activities done by you. Below is the sequence of events of how that happened: Earlier I purchased from hackers a unique access to diversified email accounts (at the moment, it is eally easy to do using Internet). As you can see, I managed to log in to your email account without breaking a sweat: (****). Here is the proof I hacked this email. Your password at the time when I got access to your email:(***). Within one week afterwards, I installed a Trojan virus in your Operating Systems available on all devices that you utilize for logging in your email. To be frank, it was somewhat a very easy task (since you were kind enough to open some of links provided in your inbox emails). I know, you may be thinking now that I’m a genius. With help of that useful software, I am now able to gain access to all the controllers located in your devices (e.g. video camera, keyboard, microphone and others). As result I managed to download all your photos, personal data, history of web browsing and other info to my servers without any problems. Moreover, I now have access to all accounts in your messengers, social networks, emails, contact list, chat history – you name it...During the process of your personal info compilation , I could not help but notice that you are a huge admirer and regular guest of websites with adult content… in case if you still have doubts, all I need is to click my mouse and all those nasty videos with you will be shared to friends, collegues and relatives of yours."
Next the victim is asked to send $1290 USD in Bitcoin to the wallet listed below:"
17ycXXXXXXXXXXXXXXXXXXXXXXXWaZ'.After receiving the transaction all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives, the unfortunate person has 48 hours to make the payment!
Analyzing the payments made on the wallets in the various SexTortion campaigns found this month by our Research Center, we report the transactions recorded as of the date of
22/11/2023:
Wallet "
17ycXXXXXXXXXXXXXXXXXXXXXXXWaZ" amount requested 1290 USD => No transactions found
Wallet "
1EV3XXXXXXXXXXXXXXXXXXXXXXX9i7" amount requested 400 USD => results in a transaction worth 447.50 USD
Wallet "
15PjXXXXXXXXXXXXXXXXXXXXXXXE3Q" somma richiesta 1800 USD => No transactions found
In such cases we always urge you:
- not to respond to these kinds of emails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them..
- If the criminal reports an actual user’s password – usually it is a password obtained from public Leaks (compromised data theft) of official sites occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is recommended to:
- Get experienced personnel to perform checks. Researchers and Analysts from the Anti Malware Research Center #CRAM of TG Soft, are available to perform consultative verification activities of potentially compromised PCs / Servers;
- only after this verification by qualified personnel experienced in spy viruses and/or malware also and especially new generation, and once you have cleaned up the machine, it is absolutely necessary to change the passwords of the web services in use on the pc.
November 06, 2023 ==> Smishing Nexi
We analyze below a new smishing attempt, behind a fake text message from
Nexi.
The message, which we reproduce on the side, alerts the unsuspecting recipient that Nexi has limited the functionality of his Card/Account, due to PSD2 security failure. A link is provided to proceed with reactivation:
"
http://*********-****-nexi[.]com"
Clearly, if the recipient of the text message is not a
Nexi customer, he will clearly find this message anomalous. In the specific case analyzed, however, the recipient actually is a
Nexi customer and the message shows up in the chat where codes are delivered to authorize payments made with the associated credit card. Therefore, it is crucial to know how to recognize these, now widespread, attempts at computer fraud. We should especially remember that under no circumstances does
Nexi, as well as any other banking institution/payment circuit, require customers to provide their payment card details through e-mail, text message or call center.
In our case, we first notice that the text message received is very generic. It is in fact addressed to a ''
Gentile cliente''' '(Dear customer'), without actually stating any identifying information about the account holder, something that should already be suspicious. Clearly the purpose of the cyber-criminals is to lead the user to promptly click on the link to reactivate the bank account or payment card.
However, already at a glance, we can see that the link does not correspond to the official website of the well-known payment circuit; in fact, it redirects to a page that has nothing to do with
Nexi's official website.
Let's analyze it in detail below..
As we can see from the image shown, the web page where we are redirected, is really well done in that it properly simulates
Nexi’s official website, being reasonably misleading, both graphically and textually.
In fact, in order to reassure the user about the authenticity of the page, the cyber-criminals had the foresight to insert
Nexii's authentic logo and to set the page with the same graphics as the official site so that some of the links included seem trustworthy. In fact, if we click on the logo or ''CHANGE PORTAL'', we are redirected to
Nexi's official website, specifically the home page. The Privacy link below also matches the authentic one in that it allows you to download
Nexi's actual privacy policy.
The login page to account management, however, is hosted on an anomalous address/domain that cannot be traced back to
Nexi's official domain, and which we list below:
"
http://*********-****-nexi[.]com"
If you enter your Nexi account login information on this FORM to log into your checking account, it will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks .
November 02, 2023 ==> Phishing Aruba
SUBJECT: <
Non è stato possibile consegnare il tuo messaggio.risolvi ora.>
(Your message could not be delivered.Resolve now)
We find again this month a phishing attempt that comes as a false communication from
Aruba.
The message informs the recipient that there are 2 new messages that were not delivered correctly to his mail account due to the new incoming mail regulation policy of the account whose domain appears to be hosted on
Aruba. It then says that it is necessary to retrieve the outstanding messages through the following link:
Clicca qui per recuperare il messaggio
(Click here to retrieve the message)
Clearly, the well-known web hosting, e-mail and domain registration services company,
Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Analyzing the text of the message, we notice right away that the sender's e-mail address is not from the official domain of
Aruba.
Anyone who unluckily clicks on the link
Clicca qui per recuperare il messaggio
(Click here to retrieve the message) will be redirected to an anomalous WEB page.
From the side image, we notice that the web page hosting the mailbox access, asking E-mail and Password, simulates quite well the official site of Aruba.
At a glance, however, we see that the login page is hosted on an anomalous address/domain...
https[:]//www[.]weliive[.]com/wp[.]admin/user.......
If you enter your data on this FORM, to perform verification/confirmation of your data, this information will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
November 01, 2023 ==> Phishing Istituto Bancario (BANK)
SUBJECT: <
[Aggiornamento] >
(Update)
The following is another phishing campaign, that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well-known national banking institution. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his/her data, and fall into a social engineering trap.
The message alerts the unsuspecting recipient, that the banking app is expiring on 01/11/2023 and, in order to continue using online services, it is necessary to click on
Login.
We can see from the outset, that the alert message comes from a very suspicious e-mail address <
back-up(at)ianmd(dot)com> and contains very general text, although the cybercriminal had the graphic foresight to include the well-known banking institution logo, that could mislead the user.
The purpose is to get the victim to log in and renew the activation of his or her banking app.
To proceed with the renewal, you need to click on the following link:
Login.
The email looks graphically well done, and has identifying references of the well-known Banking Institute, such as address and VAT number, that seem reliable. Nevertheless it remains decidedly peculiar that a link, requesting home banking credentials, is sent via email.
.
Anyone who unluckily clicks on the link
Login, will be redirected to an anomalous WEB page, completely different from the official website of the well-known Banking Institution.
We can see, from the side image, that the web page is graphically well done and simulates quite well the official website of the banking portal.
In order to make it more trustworthy and induce the victim to access the portal, the cyber-criminals had the foresight to include some authentic data here at the bottom, such as address and T.C./VAT number.
As we scroll down the page, we also see other sub-menus providing various types of information such as service request, complaints, regulations etc. All these elements have the aim of further reassuring the user about the veracity of the portal, although many links do not lead to any of the expected pages.
With this in mind, we urge you to pay close attention to any misleading details remembering that, before proceeding to enter sensitive data - in this case home banking credentials i.e. Holder Code and PIN - it is crucial to analyze the url address where the authentication form is hosted.
The landing page in this case is hosted on the url address:
srv202929[.]hoster[-]test[.]ru/it/conto/
which has nothing to do with the official website of our banking institution.
This page/ DECEPTIVE WEBSITE is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.
A little bit of attention and glance, can save a lot of hassles and headaches..
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled
We invite you to check the following information on Phishing techniques for more details:
03/10/2023 16:35
- Phishing: the most common credential and/or data theft attempts in October 2023...
05/09/2023 10:35 - Phishing: the most common credential and/or data theft attempts in September 2023....
01/08/2023 17:33
- Phishing: the most common credential and/or data theft attempts in August 2023...
03/07/2023 10:23
- Phishing: the most common credential and/or data theft attempts in July 2023...
07/06/2023 15:57
- Phishing: the most common credential and/or data theft attempts in June 2023...
03/05/2023 17:59
- Phishing: the most common credential and/or data theft attempts in May2023...
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April2023...
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in March 2023..
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in February 2023...
02/01/2023 15:28
- Phishing: the most common credential and/or data theft attempts in January 2023...
02/12/2022 15:04
- Phishing: the most common credential and/or data theft attempts in December 2022..
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022....
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
- it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
- proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices
VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.
You can upgrade to the PRO version by purchasing it directly from our website=> click here to order
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.
How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other)
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
TG Soft's C.R.A.M. (Anti-Malware Research Center)
