PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in February 2024:

29/02/2024 => Decathlon
23/02/2024 => Aruba - Fattura scaduta (Expired invoice)
22/02/2024 => Account di Posta Elettronica (Email account)
20/02/2024 => SexTortion - YouPorn
15/02/2024 => Booking
13/02/2024 => LIDL
12/02/2024 => Account di Posta Elettronica (Email account)
10/02/2024 => Netflix
09/02/2024 => Register
07/02/2024 => Inbank
06/02/2024 => Aruba - Fattura scaduta (Expired invoice)
06/02/2024 => Mooney
01/02/2024 => Aruba - Disattivazione casella e-mail (Mailbox deactivation)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences. 

• A little bit of attention and glance, can save a lot of hassles and headaches...

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

February 29, 2024 ==> Phishing Decathlon

SUBJECT: <....Hai vinto: ricevi un frigorifero Igloo Trailmate GRATUITO. > (You won: receive a FREE Igloo Trailmate refrigerator)

Below we analyze the following scam attempt, coming as a false communication from the well-known company Decathlon.

This is a promotional message that seems to propose an unmissable opportunity. The lucky user has been selected to participate in a survey aimed at improving the customer experience. By answering simple questions, he or she can win an IGLOO TRAILMATE COOLER...or so it would seem.
Certainly for many inexperienced users this phishing is a real decoy.
Clearly, Decathlon  is unrelated to the mass mailing of these malicious campaigns, which are true scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep your eyes open ... all it takes to avoid unpleasant incidents is a little attention and a glance.

Analyzing the email, we immediately notice that the message comes from an email address  <ABDELFATTAH(dot)AMMARI(at)ump[dot]ac[dot]ma> not traceable to Decathlon’s official domain. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link provided, here is what happens: 

we are redirected to a landing page that, although graphically well done (with misleading images and the authentic Decathlon logo), is hosted on an anomalous address/domain:

"https[:]//graffitydino[.]com/b55957.....'' 

Which has no connection with Decathlon.

Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey by making him/her believe that only few people can win and the gifts are about to run out. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

To give more credibility, many comments from customers who supposedly participated in the survey, have been reported. They are all reassuring testimonials/feedback about the actual delivery of the winnings that confirm the trustworthiness of the message, and some of them even include photos of the received prize.
Surely if so many users were lucky why not try our luck by filling out a simple survey?!

Clicking on INIZIA IL SONDAGGIO (START THE SURVEY), you are redirected to the next screens, where you are asked to answer 8 questions.


''Congratulations!!! We have reserved (1) Igloo Trailmate Cooler exclusively for you.''

Here we are: all we have to do is enter your shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered....
We are then sent to a further page, as shown in the image below, to enter our shipping address and paying the shipping charges. 

The page to which you are redirected, to enter your personal data, is hosted on an anomalous new address/domain, which we report below:

https[:]//THISTIMEYOUSHOULD[.]net/VyMyw.....

To conclude, we always urge you to be wary of advertisements/promotional messages that boast of "giving away" valuables, and to avoid clicking on suspicious links, which could lead to a counterfeit site that steals your most sensitive data.

February 20, 2024 ==> SexTortion YouPorn

This month we find again the SexTortion-themed SCAM campaign. The e-mail, which uses the name of the popular YouPorn adult site, suggests a breach of the victim's account by the scammer. The purpose of the message is to blackmail the recipient demanding the payment of a sum of money, in Bitcoin, in order not to divulge among his email and social contacts a private video of him viewing adult sites.

We first of all notice that the sender's e-mail address <davduf(at)gowestward(dot)com> is unrelated to the domain of YouPorn.

The following is an extract from the text of the email on the side:

"Unfortunately, I need to start our conversation with bad news for you. Around few months back I managed to get full access to all devices of yours, which are used by you on a daily basis to browse internet. Afterwards I could initiate monitoring and tracking of all your activities on the internet. I am proud to share the sequence of how it happened: In teh past I bought from hackers the access to various email accounts (today, that is a rather simple thing to do online).
Clearly, it was not hard at all for me to log in to your email account. A week after that, I had already managed to effortlessly install Trojan virus to Operating Systems of all devices that are currently in use, and as result gained access to your email.
To be honest, that was not really difficult at all (because you were eagerly opening links from your inbox emails). I know I am a genius. (= With help of that software, I can gain access to all controllers in your devices (such as videocamera, keyboard and microphone).
As result, I downloaded to my remote cloud servers all your personal data, photos and other information including web browsing history. Likewise, I have complete access to all your social networks, messengers, chat history, emails, as well as contact list. My intelligent virus unceasingly refreshes its signatures (due to its driver based nature), and thereby stays unnoticed by your antivirus software. Hereby, I believe that now you finally start realizing how i could easily remain unnoticed all this while until this very letter…
While collecting information related to you, I had also unveiled that you are a true fan of porn sites. You truly enjoy browsing through adult sites and watching horny vids, while playing your dirty solo games.
Bingo! I also recorded several scenes with you in the main focus…
In case you still don’t believe me, all I need is just one-two mouse clicks to make all your unmasking videos become available to your friends, collegues, and even relatives (in addition  XXX sites, e.g. youporn, etc.)" .

Next the victim is asked to send $1250 USD in Bitcoin to the wallet listed below:
 "18HXXXXXXXXXXXXXXXXXXXXXXXSUV. After receiving the transaction, all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives. The victim has 1 day to make the payment!

Transactions recorded on the mentioned wallet as of 02/21/2024 are:

Wallet "18HXXXXXXXXXXXXXXXXXXXXXXXSUV"amount requested 1250 USD => no transactions reported.

In such cases we always urge you:

1. not to respond to these kinds of emails and not to open attachments or click unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. if the criminal reports an actual user’s password – usually it is a password obtained from public Leaks (compromised data theft) of official sites occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is recommended to:
   • Get experienced personnel to perform checks. Researchers and Analysts from the Anti Malware Research Center #CRAM of TG Soft are available to perform consultative verification activities on potentially compromised PCs / Servers;
   • only after this verification by qualified personnel experienced in spy viruses and/or malware (also new generation malware), and once you have cleaned up the machine, it is absolutely necessary to change the passwords of the web services in use on the pc.

February 15, 2024 ==> Phishing Booking

«SUBJECT: <Notification of Property Feedback>

We analyze below a new phishing attempt, which simulates a communication from the online travel  booking site Booking.com with millions of facilities, and which aims to steal the victim's account login information.

The message, in English, seems to come from Booking.com and informs the recipient - a generic Hotel in the given example - about a negative review by one of its guests, who, however, remains unidentified. It then urges the establishment  “to address the guest’s grievances  and promptly take necessary steps to rectify any issues encountered during their stay at the hotel”. In case of delay in addressing this issue, the hotel may be excluded from the website service, and bookings will be suspended until a solution is reached. The following link is then provided to allow the recipient to log into its account:

Respond to the complaint

When we analyze the email, we see that the message comes from an email address <admin(at)fisc-iq(dot)com> not traceable to the official Booking.com’s domain. In addition, the message is clearly addressed to a generic hotel, when usually in such cases an identifier of the complaint recipient is given. This is definitely anomalous and should, at the very least, make us suspicious. Clearly anyone who is not an accommodation partner of Booking.com, understands more easily that this is a real scam.

Anyone who unluckily clicks on the link Respond to the complaint will be redirected to an anomalous WEB page. From the side image we notice that the web page where you are asked to authenticate in the platform, graphically simulates the official website of Booking.com.

However, at a glance we notice that the login page is hosted on an anomalous address/domain...

https[:]//booking[.]extranet[.]id59609[.]xyz/?utm=enATVWqA

If you continue, you will probably be asked to enter your personal information and payment method, which will be used by cyber scammers with all the easily imaginable risks.

February 13, 2024 ==> Phishing LIDL

SUBJECT: <Festeggiamo l'anniversario di Lidl con una DeLonghi Magnifica S > (Let's celebrate Lidl's anniversary with a DeLonghi Magnifica S)

Below we analyze the scam attempt that hides behind a false communication from the well-known company LIDL .

This is a promotional message that seems to propose an unmissable opportunity. The lucky user was selected, on the anniversary of the supermarket chain, to participate in a survey and win a prize: a De Longhi coffee machine.
For many inexperienced users this phishing is surely a real decoy.
Clearly LIDL is unrelated to the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
To avoid misunderstanding we underline that this is in fact a phishing attempt aimed at stealing your personal data.
So keep your eyes open ... all it takes to avoid unpleasant incidents is a little attention and a quick glance.


we are redirected to a landing page that, although graphically well done (with misleading images and the authentic logo of LIDL) does not seem trustworthy at all.
In fact, the survey to obtain the prize, is hosted on an anomalous address/domain.
Here is the web page: "https[:]//patientflag[.]sbs/96b90ee.....''

which has no connection with  LIDL.

Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey by making him/her believe that only few people can win and the gifts are about to run out. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

To give more credibility, many comments from customers who supposedly participated in the survey, have been reported. They are all reassuring testimonials/feedback about the actual delivery of the winnings that confirm the trustworthiness of the message, and some of them even include photos of the received prize.
Surely if so many users were lucky why not try your luck by filling out a simple survey?!

Clicking on  INIZIA IL SONDAGGIO (START THE SURVEY), we are redirected to the next screens, where we are asked to answer 8 questions.


''Congratulations!!! We have reserved (1) De Longhi Magnifica S exclusively for you.''

Here we go: in fact, all we need to do is to enter our shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered....
We are then redirected to a further page, to enter our shipping address and to pay the shipping charges, as shown in the image below. 
The page to which we are redirected, to enter our personal data, is hosted on a new anomalous address/domain, which we report below:

https[:]//gettingtheresoon[.]com/c/6qp8LLW.....

To conclude, we always urge you to be wary of advertisements/promotional messages that boast of "giving away" valuables, and to avoid clicking on suspicious links, which could lead to a counterfeit site that steals your most sensitive data.

February 12, 2024==> Phishing Account Posta Elettronica (Email account)

SUBJECT: <Verifica Password> (Password Verification)

We analyze below the phishing attempt that aims to steal the victim's e-mail account credentials.

The message informs the recipient that his/her password will expire in 24 hours. It then invites him/her to confirm the password in order to keep it and to avoid any interruption of the services connected to his/her mail account, by clicking on the following link:

conferma password (password confirmation)

When we analyze the e-mail, we notice that the message seems to come from the recipient's own e-mail address. Actually in this case a label was used that simulates the recipient's address. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link conferma password (password confirmation), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.

February 10, 2024 ==> Phishing NETFLIX

«SUBJECT:<Netflix : Abbonamento N° XXXXXXXX> (Netflix : Subscription No. XXXXXXXX)

We analyze this month the following phishing attempt, coming as a fake communication from NETFLIX - the well known streaming distribution platform for movies, TV series and other paid content - aiming to steal the credit card data of the victim.

The message, seemingly from NETFLIX, informs the user about the inability to proceed with subscription renewal. To renew, he/she must perform a data update by clicking on the link:

Aggiornare il metodo di pagamento   (Update the payment method)

Analyzing the email, we notice that the message comes from an email address <l3TL9C8Q80mins@j2(.)gmobb(dot)jp> not traceable to the official domain of NETFLIX. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the Aggiornare il metodo di pagamento (Update the payment method) link, will be redirected to an anomalous WEB page.

February 06, 2024 ==> Phishing Mooney

SUBJECT:  < [Notifica] Area Clienti ! > ([Notification] Customer Area!)
 
Below we analyze the following phishing attempt, coming as a false communication from Mooney, the Italian Proximity Banking & Payments company.

The messagewarns the recipient that his/her account is temporarily suspended and that the support is trying to solve the problem. It informs, however, that in order to complete the operation and unblock the account, the user will only need to click on the following link:

Cliccare qui (click here)

This time the phishing campaign simulates a communication from the Italian online payment company Mooney,, which is clearly unrelated to the mass sending of these emails. In fact these are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Analyzing the text of the message, we notice right away that the alert message comes from an e-mail address <noreply(at)diagral-visio(dot)com> that could be misleading, but it is not traceable to Mooney,'s domain, although the cybercriminal had the foresight to include the company's logo. Let's always be careful before clicking on suspicious links.

Anyone who unluckily clicks on the link Cliccare qui (click here), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.

February 01, 2024 ==> Phishing Aruba - Disattivazione casella e-mail (Mailbox deactivation)

SUBJECT: <Disattivazione casella e-mail per scadenza dominio *****> (Mailbox deactivation due to domain expiration)

We find again this month the following phishing attempt simulating a communication from Aruba.

The message informs the recipient that his/her domain hosted on Aruba, and linked to his/her e-mail account, will expire on 01/02/2024. The recipient is then invited to renew his/her services manually, in order to avoid the deletion of the account, and the deactivation of all services associated with it, including mailboxes (so he/she can continue receiving and sending messages).
The user is then invited to log in, via the following link, to renew services:

RINNOVA IL DOMINIO  (RENEW THE DOMAIN)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

If we analyze the message, we notice right away that the sender's e-mail address <postmaster(at)budirira(dot)co(dot)za> is not from Aruba's official domain. This is definitely anomalous and should, at the very least, make us suspicious. We can see, however, that the well-known Aruba logo was included to make the message more trustworthy.

Anyone who unluckily clicks on the link RINNOVA IL DOMINIO  (RENEW THE DOMAIN) you will be redirected to an anomalous WEB page that is unrelated to Aruba's official website, but which has already been reported as a DECEPTIVE WEBSITE/PAGE because it is run by cyber-criminals who want to get hold of your most valuable data in order to use them for illegal purposes.

A little bit of attention and glance, can save a lot of hassles and headaches..

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on phishing techniques for more details:

02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in  January 2024...
11/12/2023 09:39 - Phishing: the most common credential and/or data theft attempts in  December 2023...
03/11/2023 08:58 - Phishing: the most common credential and/or data theft attempts in November 2023...
03/10/2023 16:35 - Phishing: the most common credential and/or data theft attempts in October 2023...
05/09/2023 10:35 - Phishing: the most common credential and/or data theft attempts in September 2023...
01/08/2023 17:33 - Phishing: the most common credential and/or data theft attempts in August 2023...
03/07/2023 10:23 - Phishing: the most common credential and/or data theft attempts in July 2023..
07/06/2023 15:57 -  Phishing: the most common credential and/or data theft attempts in  June 2023....
03/05/2023 17:59 - Phishing: the most common credential and/or data theft attempts in  May 2023..
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April 2023...
03/03/2023 16:54 - Phishing: the most common credential and/or data theft attempts in  March 2023..
06/02/2023 17:29 - Phishing: the most common credential and/or data theft attempts in  February 2023...

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite  has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
• fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
• it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
• proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android^TM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.

 

You can upgrade to the PRO version by purchasing it directly from our website=> click here to order

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.

How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.


TG Soft's C.R.A.M. (Anti-Malware Research Center)