PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in December 2023:

28/12/2023 => Ricevuta di Pagamento QNB (Transaction Receipt QNB)
26/12/2023 => Aruba - Rinnova il tuo dominio (Renew your domain)
19/12/2023 => Webmail
17/12/2023 => Mooney
11/12/2023 => Agenzia delle Entrate (Revenue Agency)
07/12/2023 => SexTortion
04/12/2023 => Aruba - Disattivazione casella (Mailbox deactivation)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences. 

• A little bit of attention and glance, can save a lot of hassles and headaches...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

December 28, 2023 ==> Phishing QNB - Ricevuta di Pagamento (Transaction Receipt)

 SUBJECT: < Transaction Receipt >

Below we analyse the phishing attempt coming as a fake communication from QNB, The Doha-based Qatar Online Bank.

Below we analyse the phishing attempt coming as a fake communication from QNB, The Doha-based Qatar Online Bank.

The message, in English, informs the recipient that the payment receipt is available and then invites him/her to download the attached file containing the payment receipt. To make the message more credible, the customer support telephone number is also provided in case of need.

Analysing the text of the message, we immediately notice that it comes from an e-mail address that is misleading for an inexperienced user but does not belong to the official domain of QNB. In fact a label <noreply(at)qnb(dot)com> was probably used. Always exercise caution before clicking on suspicious links.

Anyone who unluckily downloads the attachment, will be redirected to an anomalous web page, which is not related to QNB's official website (https[:]//cloudflare-ipfs[.]com/ipfs/QmZanY...), but which has already been reported as a Deceptive WEBSITE/page.... as it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

December 26, 2023 ==> Phishing Aruba - Rinnova il tuo dominio (Renew your domain)

SUBJECT: <Rinnova il tuo dominio ****** in scadenza> (Renew your expiring ****** domain)

Phishing attempts, pretending to be communications from the Aruba brand, continue in December.

The message informs the receiver that his/her domain, hosted on Aruba, is expiring on 26/12/2023. It therefore warns him/her that he/she must renew the domain in order to avoid the cancellation of the account and therefore the deactivation of all the services associated to it, including the email boxes, and thus the sending and receiving of messages. The renewal procedure is simple and automatic and can be independently done from the link shown below:

RINNOVA ((RENEW)

Clearly, the well-known web hosting, e-mail and domain registration services company, Aruba, is uninvolved in the mass sending of these e-mails, which are real scams whose objective remains, as always, to steal sensitive data of the unsuspecting recipient.

Analysing the text of the message, we immediately notice that the sender's e-mail address does not come from the official Aruba’s domain, but a label is used to hide the sender.

Anyone who unluckily clicks on the RINNOVA (RENEW) link, will be redirected to an anomalous web page that is not related to Aruba's official site, but which has already been reported as a DECEPTIVE WEBSITE/PAGE.... , as it is run by cyber-criminals whose aim is to get hold of your most precious data in order to use them for illegal purposes.

December 19, 2023 ==> Phishing Webmail

SUBJECT: <Ripara DNS: cancella cache> (repair DNS: clear cache)

Let's analyze below the phishing attempt that aims to steal the credentials of the victim's e-mail account.

The message informs the recipient that, due to some unresolved technical errors, outgoing emails may not be delivered. It then invites him/her to clear the DNS cache of his/her mailbox in order to receive the mails, using the following link:

Tomar medidas para restaurar DNS (Take steps to restore DNS)

Analyzing the email, we notice that the message comes from an email address <secured_file67350(at)******(dot)it> not traceable to the server hosting the mailbox . This is definitely anomalous and should, at the very least, make us suspicious

Anyone who unluckily clicks on the link Tomar medidas para restaurar DNS (Take steps to restore DNS), will be redirected to an anomalous WEB page which, as you can see from the side image, graphically simulates Aruba's page where we are asked for Webmail login credentials
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:

https[:]//www[.]insuranceinbaja[.]com/aswwwss/1ar[.]html#****

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks.

December 17, 2023 ==> Phishing Mooney

SUBJECT:  < Metti il tuo account in sicurezza > (Secure your account)
 
Below we analyze a phishing attempt that comes as a false communication from Mooney, the Italian Proximity Banking & Payments company..

The message informs the recipient that his/her account is temporarily locked for security reasons.
It then invites him/her to update his/her profile through the security steps indicated via the following link: 

Clicca qui per attivare (Click here to activate)

This time the phishing campaign simulates a communication  from the Italian online payment company Mooney, which is clearly unrelated to the mass sending of these emails that are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient..

Analyzing the text of the message, we notice right away that it comes from an e-mail address  not  traceable to Mooney's domain <zahid(at)agileleaf(dot)com>, although the cybercriminal had the foresight to include the company's well-known logo. Let’s always pay close attention before clicking on suspicious links.

Anyone who unluckily clicks on the Clicca qui per attivare (Click Here to Activate) link, will be redirected to the displayed page .

As we can see, first of all, the landing page, graphically simulates the official Mooney page, and this could mislead a user driven by haste to secure his/her account.
Although haste and the fear account suspension may prompt users to enter their login information, we should always focus on the url address shown on the browser bar. In this way we can realize that the login form does not reside on Mooney's official domain:

https[:]//srv205225[.]hoster-test[.]ru/mnopanel/mnopanel/

We therefore urge you not to hurry when you find this kind of email, and pay attention to every detail, even trivial ones. By proceeding to enter the requested data - in this case credit card information - this information will be delivered to the cyber criminals behind the scam, who will use it for illegal purposes.

December 11, 2023 ==> Phishing Agenzia delle Entrate (Revenue Agency)

SUBJECT: <Avviso Raccomandata #AR762******> (Registered Mail notice #AR762******)

Below we analyze another phishing attempt that shows up through a fake message from Agenzia delle Entrate  (Revenue Agency).

The message informs the recipient that a new notification addressed to him/her is available, with the following information:

• Titolare: indirizzo email del ricevente (Holder: Receiver Email)
• Ente Emittente: Agenzia delle Entrate-Riscossione (Issuing Body:  Revenue Agency)
• Protocollo n.: AR243****** (Protocol n. AR243******)

Analyzing the alert, we notice first of all, its anomalous email address, i.e.  <AgenziadelleEntrateUfficion[.]83728@www[.]mbn[.]de>, which is not hosted on the official domain of Agenzia delle Entrate  (Revenue Agency).
Even in the administrative notification  we don't find  references to the Holder, but we only see the recipient’s email address, which is certainly not an identifying information for tax purposes.
 It is also peculiar that the protocol given in the subject line of the notice (AR762******) is different from both the protocol in the body of the email (AR243******) and from the protocol present in the link (AR397******).
The link below is provided to access the notification:
"https[:]//www[.]agenziaentrateriscossione[.]gov[.]it/AR397******"
By placing the cursor over it, we can immediately see that the link is misleading since it refers to a site other than the one textually reported. In fact it is:
https://sharodotsav2017[.]tourismwbapp[.]in/legittimo?.....
which is definitely suspect.
In any case, anyone who unluckily clicks on the links, will be redirected to a counterfeit website imitating the Agency's site.
From the image below we can see that the web page is graphically well made and it accettably simulates  the official website of the Agenzia delle Entrate (Revenue Agency).
In order to make the email more trustworthy and induce the victim to access the restricted area, the cyber-criminals also had the foresight to include at the bottom some authentic data from the Agenzia delle Entrate (Revenue Agency), such as address and tax/VAT number.
However,  to access the Restricted Area, an email address and its password are required...therefore, we are facing an attempt to steal mailbox credentials.
We also highlight that, in order to access the platform of the Agenzia delle Entrate (Revenue Agency), interested parties must have an identity defined under the Public Digital Identity System (SPID, CIE or CNS) or credentials issued by the Agency. This should make us further wary about the reliability of the request.
We underline, anyway, that  the url address of the web page is clearly not referable to the official website of the Agenzia delle Entrate (Revenue Agency).
Given these considerations, we urge you to pay close attention to any misleading details, and remember to verify the url address where the authentication form is hosted - in addition to assessing the legitimacy of the request - before entering sensitive data.
Reminding you that Agenzia delle Entrate (Revenue Agency) is clearly uninvolved in the mass sending of these phishing campaigns, we invite you, in case of doubt, to check its official website, which has often reported attempted scams exploiting its brand.

December 07, 2023 ==> SexTortion

This month we find the SexTortion-themed SCAM campaign again. The e-mail seems to suggest that the fraudster has accessed the victim's device and, as alleged proof of the breach, the cyber criminal points out that the e-mail comes from the victim's own e-mail address. In these cases the address is simulated with labels to pretend a breach in the victim's account. The criminal uses this deception to then blackmail him, requesting a sum of money in  Bitcoin, not to divulge among his email and social contacts a private video of him looking at adult sites.

The following is an extract from the text of the email on the side:

" Unfortunately, there are some bad news for you. Some time ago your device was infected with my private trojan, R.A.T (Remote Administration Tool), if you want to find out more about it simply use Google. My trojan allowed me to access your files, accounts and your camera. Check the sender of this email, I have sent it from your email account. To make sure you read this email, you will receive it multiple times. You truly enjoy checking out porn websites and watching dirty videos...I recorded you (through your camera). After that I removed my malware to not leave any traces.If you still doubt my serious intentions, it only takes couple mouse clicks to share the video of you with your friends, relatives, all email contacts, on social networks, the darknet and to publish all your files.”

Next the victim is asked to send  800 USD in Bitcoin to the wallet listed below:"1EVXXXXXXXXXXXXXXXXXXXXXXX9i7'. After receiving the transaction, all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives. The victim has 3 days to make the payment!

On the wallets in the various SexTortion campaigns found this month by our Research Center, we report the transactions recorded as of the date of 11/12/2023:

Wallet "1EV3XXXXXXXXXXXXXXXXXXXXXXX9i7" amount requested 800 USD => there are 8 transactions carried out with a total value of 7113.46 USD

In such cases we always urge you:

1. not to respond to these kinds of emails and not to open attachments or click unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. if the criminal reports an actual user’s password – usually it is a password obtained from public Leaks (compromised data theft) of official sites occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is recommended to:
   • Get experienced personnel to perform checks. Researchers and Analysts from the Anti Malware Research Center #CRAM of TG Soft are available to perform consultative verification activities on potentially compromised PCs / Servers;
   • only after this verification by qualified personnel experienced in spy viruses and/or malware (also new generation malware), and once you have cleaned up the machine, it is absolutely necessary to change the passwords of the web services in use on the pc.

December 04, 2023  ==> Phishing Aruba - Disattivazione casella e-mail (Mailbox deactivation)

SUBJECT: <Disattivazione casella e-mail per scadenza dominio xxx@xxx> (Mailbox deactivation due to xxx@xxx domain expiration)

During December, phishing attempts pretending to be communications from the Aruba brand, continued.

The message informs the recipient that his/her domain hosted on Aruba, and linked to his/her e-mail account, will expire on 04/12/2023. The recipient is then invited to renew his/her services manually, in order to avoid the deletion of the account, and the deactivation of all services associated with it, including mailboxes (so he/she can continue receiving and sending messages).
It then invites the user to log in, via the following link, to renew services:

https[:]/rinnovare[.]aruba[.]it/welcome[.]html

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient..

If we analyze the text of the message, we notice right away that the sender's e-mail address <postmaster(at)v2202311110463247319(dot)hotsrv(dot)de>, is not from Aruba's official domain.
In order to induce the victim to renew the mailbox in a timely manner, the expiration date of 04/12/2023 is indicated, which incidentally corresponds to the reception date of the email... therefore there is not much time left to carry out the renewal and prevent the deactivation of services. The technique of indicating a deadline within which the procedure must be concluded, is intended to urge the user to act immediately and without much thought.
Anyone who unluckily clicks on the link, will be redirected to the displayed page.
As we can see, first of all the landing page - unlike what we should expect - does not refer to Aruba's LOGIN RESERVED AREA, but hosts an online payment form, seemingly relying on BancaSella's circuit. Here we are directly asked to enter our credit card details to pay the modest amount of Euro 5.42.....
Although the hurry and the fear of mailbox suspension may push the user to quickly conclude the operation, if we look at the url address on the browser bar, we realize that the payment form is not on the official domain of Aruba or even BancaSella:

https[:]//arubahost[.]assistenzastaff[.]net/xL6432.....

We therefore urge you not to hurry when you find this kind of email, and pay attention to every detail, even trivial ones.
By proceeding to enter the requested data - in this case credit card information - this information will be delivered to the cyber criminals behind the scam, who will use it for illegal purposes.

A little bit of attention and glance, can save a lot of hassles and headaches..

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled

We invite you to check the following information on Phishing techniques for more details:

03/11/2023 08:58 - Phishing: the most common credential and/or data theft attempts in November 2023...
03/10/2023 16:35 - Phishing: the most common credential and/or data theft attempts in October 2023...
05/09/2023 10:35 - Phishing: the most common credential and/or data theft attempts in September 2023...
01/08/2023 17:33 - Phishing: the most common credential and/or data theft attempts in August 2023...
03/07/2023 10:23 - Phishing: the most common credential and/or data theft attempts in July 2023...
07/06/2023 15:57 - Phishing: the most common credential and/or data theft attempts in  June 2023.
03/05/2023 17:59 - Phishing: the most common credential and/or data theft attempts in  May2023...
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April2023....
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in  March 2023..
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in  February 2023...
02/01/2023 15:28 - Phishing: the most common credential and/or data theft attempts in  January 2023...
02/12/2022 15:04 - Phishing: the most common credential and/or data theft attempts in  December 2022..

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
• fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
• it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
• proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android^TM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.

 You can upgrade to the PRO version by purchasing it directly from our website=> click here to order

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.

How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other)

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.

TG Soft's C.R.A.M. (Anti-Malware Research Center)