PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in April 2024:
22/04/2024 =>
Tiscali
18/04/2024 =>
Crédit Agricole
17/04/2024 =>
Altroconsumo
15/04/2024 =>
MailBox
14/04/2024 =>
BRT
09/04/2024 =>
WeTransfer
06/04/2024 =>
Aruba - Avviso di fattura scaduta (Overdue invoice notice)
05/04/2024 =>
Aruba - Rinnova il dominio (Renew your domain)
05/04/2024 =>
BRT
03/04/2024 =>
Crédit Agricole
02/04/2024 =>
Banco BPM
01/04/2024 =>
Zimbra
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.
April 22, 2024 ==> Phishing Tiscali
SUBJECT: <
?Riattivare immediatamente il tuo account per evitarne la chiusura ******>
(?Reactivate your account immediately to prevent its closure ******)
We analyze below a new phishing attempt that aims to steal
TISCALI account login credentials.
The message informs the recipient that his account has been deactivated, then invites him to reactivate his account independently, including the reactivation of any previously deleted domains. The user can act through the following link:
RIATTIVARE ORA (REACTIVATE NOW)
When we analyze the email, we see that it comes from an email address <
assis[at]abv[dot]bg> not traceable to the official
TISCALI domain. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link
RIATTIVARE ORA (REACTIVATE NOW), will be presented with the screen shown on the side image.
As we can see, we are redirected to a site that graphically simulates the
TISCALI account login page. However, it is hosted on an anomalous address/domain, which we report below:
https[:]//https-selfcare-tiscali-it-unit-ecare-it-mytiscali[.]weebly[.]com/#email****
Given these considerations, we point out that you should NEVER enter your credentials on sites whose origin you do not know, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
April 17, 2024 ==> Phishing Altroconsumo
SUBJECT: <
A soli 2€ per 2 mesi Friggitrice ad ARIA in REGALO conferma Ora >
(Only 2€ for 2 months AIR fryer for FREE confirm now)
Below we analyze an attempt at fraud that lies behind a false communication by
Altroconsumo, the well-known consumer organization, whose goal is to give information about products and protect consumers.
It is a promotional message that seems to offer an unmissable opportunity. By becoming a member with this promotion, the consumer can get an air fryer for only 2 Euro for 2 months...or at least so it seems.
Certainly for many inexperienced users this is a real decoy.
Clearly
Altroconsumo is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.
Analyzing the email, we notice that the message comes from an email address <
blog[at]flash[dot]centronews[dot]net> not traceable to the official domain of
Altroconsumo . This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link provided, here is what happens:
we are redirected to a landing page that, although graphically well done (with misleading images and the authentic logo of
Altroconsumo), does not seem trustworthy at all, as it is hosted on an anomalous address/domain. Here is the page:
"https[:]/offerta-altroconsumo[.it/friggitrice-2024/.....''
which is not from the official domain of Altroconsumo.
For new members of Altroconsumo there is an unmissable offer going on: for only 2 euros for 2 months you can get access to all the association's services, and you also receive an air fryer as fantastic prize. When we click on
Approffitto dell'offerta (I Take advantage of the offer), we are taken to the next screens, where we are asked to answer some simple questions.
Here specifically is question 1. These are very general questions and request for the consumer's personal information, such as gender (Male or Female), first and last name, and e-mail address.
After the questions are completed, in order to become a member of Altroconsumo, you must provide your address information to receive the magazines and especially the fantastic prize: the Air Fryer!
This is it: by clicking
Continuare (Continue), we are taken to the last screen. Here we are prompted to enter our bank details to pay for the trial period of 2 Euros for 2 months, to become a member of
Altroconsumo. We can then receive our prize at home.
The page hosting the data entry form looks graphically well done and misleading. It is outlined what is included for Altroconsumo members, such as "Le riviste di Altroconsumo direttamente a casa tua" (Altroconsumo magazines direct to your door); "Accesso ai comparatori di prodotti online", (Access to online product comparators); "Consulenza legale telefonica gratuita", (Free telephone legal advice); and "Scopri il programma Vantaggi Extra per accedere a un mondo di sconti", (Discover the Extra Benefits program to access a world of discounts).
In fact, the purpose of cyber criminals is precisely to trick you into entering your sensitive data and, in this case, your bank account data!
The page you are redirected to, for the entry of your personal data, is hosted on the following anomalous address/domain:
https[:]//offerta-altroconsumo[.]it/friggitrice-2024/iban?click_id=2mj9a3hns3eb3ir....
To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, in this way your most valuable data are placed in the hands of cyber crooks, who can use them at will
.
April 15, 2024 ==> Phishing Mailbox Almost Full
SUBJECT: <
Mailbox Size Limit Exceeded For *****>
We analyze below another phishing attempt, that aims to steal email account login credentials.
The message, in English, informs the recipient that the storage space on his e-mail account is limited, and therefore some incoming messages are rejected. It invites him to solve this minor technical problem by increasing the storage space, via the link below:
VALIDATE NOW
When we analyze the e-mail, we notice that the message comes from an e-mail address unrelated to the e-mail server <
info(dot)cibl-digital(dot)com>, and therefore does not come from the official domain of the mailbox.
Anyone who unluckily clicks on the link
VALIDATE NOW, will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.
April 9, 2024 ==> Phishing WeTransfer
SUBJECT: <
file>
We analyze below the phishing attempt that aims to steal
WeTransfer account credentials
The message, in English, informs the recipient that he has received 1 file and can download it for viewing. It then invites him to log in to download the file, via the following link:
Get your files
When we analyze the email, we notice that the message comes from an email address <
q4b404fa140af48168b32aefff(at)Hochster(dot)com(dot)eg> not traceable to the domain of
WeTransfer.
This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the
Get your files link, will be redirected to an anomalous WEB page, which is graphically well laid out, for the download of the referenced PDF/Docx file.
We report the page below:
https[:]//centralmoto[.]cl/Conexion/main[.]html....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
April 6, 2024 ==> Phishing Aruba - Rinnova il dominio (Renew your domain)
SUBJECT: <
Aruba.it - Avviso di fattura scaduta 06/04/2024>
(Aruba.it - Overdue invoice notice 04/06/2024)
Phishing attempts, pretending to be communications from the
Aruba brand, continue this month.
The message notifies the recipient that his domain hosted on
Aruba, linked to his e-mail account, will expire on 06/04/2024. It then warns him to manually renew his services to avoid the deletion of the account and thus the deactivation of all services associated with it, including the mailboxes (and therefore the chance to receive and send messages).
It then invites the user to pay the indicated invoice no."123653914" of Euro 4.37 to renew the services, through the following link:
RINNOVA IL TUO DOMINIO (RENEW YOUR DOMAIN)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal is always to steal sensitive data of the unsuspecting recipient.
In order to induce the victim to renew his mailbox in a timely manner, the expiration date of 06/04/2024 is indicated. The technique of stating a deadline to conclude the procedure is intended to scare the user and to push him/her to act immediately and without much thought.
Anyone who unluckily clicks on the link
RINNOVA IL TUO DOMINIO (RENEW YOUR DOMAIN),will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE.
Although the user may be prompted by haste and fear of mailbox suspension to complete the task quickly, we always urge you to pay close attention to every detail, even trivial ones.
If we enter our data into counterfeit websites, they will be delivered to the cyber-criminals behind the scam, who will use them for malicious purposes.
April 5, 2024 ==> Phishing Aruba - Rinnova il dominio (Renew your domain)
SUBJECT: <
Rinnova il tuo dominio ****** in scadenza>
(Renew your expiring ****** domain)
Phishing attempts pretending to be communications from the
Aruba brand, continue this month.
The message notifies the recipient that his/her domain hosted on
Aruba, linked to his e-mail account, will expire on 06/04/2024. It then warns him/her to manually renew his services to avoid the deletion of the account and thus the deactivation of all services associated with it, including the mailboxes, (and therefore the chance to receive and send messages).
It then invites the user to complete the renewal order, by choosing the most convenient payment method, through the following link:
RINNOVA CON UN CLIC (RENEW WITH A CLICK)
Clearly, the well-known web hosting, e-mail and domain registration services company
Aruba is unrelated to the mass sending of these e-mails, which are real scams, whose goal is always to steal sensitive data of the unsuspecting recipient.
Analyzing the message, we notice right away that the sender's e-mail address <communications-aruba(at)dronepops[.]com>, is not from Aruba's official domain.
In order to induce the victim to proceed with the timely renewal of his/her mailbox, the expiration date of 06/04/2024 is indicated. Since the e-mail was delivered on 05/04/2024, there is not much time left to carry out the renewal and prevent the deactivation of services.
The user is then proposed to activate automatic renewal to get rid of deadlines, and avoid thinking about service renewals. The procedure is simple and can be activated from the following link::
ATTIVA RINNOVO AUTOMATICO (ACTIVATE AUTOMATIC RENEWAL)
Anyone who unluckily clicks on the link
RINNOVA CON UN CLIC (RENEW WITH A CLICK), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.
April 5, 2024 ==> Phishing BRT
SUBJECT: <
Il tuo pacco è stato bloccato a causa di un indirizzo di consegna errato.> (
Your package was held up because of an incorrect delivery address)
The phishing attempt behind a false communication from
BRT's service, concerning the delivery of an alleged package, continues this month.

The message, reproduced on the side, refers to a shipment delivered to the
BRT point, but due to an incomplete recipient address, the package will be returned to the sender. It then notifies the unsuspecting recipient that he can request redelivery of the package by filling out the request form from the website, by clicking on the following link:
Controlla il tuo pacchetto (Check your package)
The message seems to come from the
BRT courier company and, to make it more trustworthy, the well-known logo has been included; however, no identifying information about the shipment (such as the order number or tracking reference) is given. In addition, the alert message comes from an e-mail address <
support(at)authentication(dot)aibiztools(dot)com> certainly not from the official domain of
BRT. 
The purpose is clearly to get the user to click on the proposed link, which redirects to a web page designed to steal the victim’s sensitive data.
Let's analyze it in detail below.
From the link in the message we are redirected to a web page that simulates the official site of
BRT. Although the site is graphically well done and includes the tracking number of the supposedly in-stock package <SH458378ZIT>, the url address <<https[:]//rcq[.]vvg[.]mybluehost[.]me/brt[.]it/myBRT/home/paket[.]php>> is anomalous and not traceable to
BRT.
When we click on Pianifica una nuova consegna (Schedule a new delivery), we are redirected to a new screen where we are prompted to indicate our desired delivery.
We then select the date and click Continua (Continue). Now we are presented with a screen prompting us to update our parcel delivery information.

HERE IS THE SURPRISE! After clicking
Continua (Continue), we are in fact redirected to a data-entry FORM, that requires our credit card information to pay the shipping costs of the package.
The form page has the following url address: <<
https[:]//rcq[.]vvg[.]mybluehost[.]me/brt[.]it/myBRT/home/tarjeta[.]php>> totally untrustworthy and not related to
BRT at all.
The purpose is to induce the user to enter his personal information.
To conclude, we always urge you to be wary of any email that asks you to enter confidential data, and avoid clicking on suspicious links, which could lead to a counterfeit site difficult to distinguish from the original one. In fact in this way your most valuable data are put in the hands of cyber crooks and can be used for malicious purposes.
April 3, 2024 ==> Phishing Crédit Agricole
SUBJECT: <
Importante: Azione richiesta per mantenere attivi i tuoi servizi online >
(Important: Action required to keep your online services active)
Below we analyze the following phishing attempt, that comes as a fake communication from
Crédit Agricole, the well-known French banking institution.
The message informs the recipient that, as a result of updates of the bank’s system, he/she is asked to update his data to avoid suspension of online services.
It then invites the user to log in to update his/her data, via the following link:
Clicca qui (Click here)
Analyzing the message, we notice right away that it comes from an e-mail address not referable to the official domain of
Crédit Agricole,<
info(at)vascuion(dot)com>. We should always pay close attention before clicking on suspicious links.
Anyone who unluckily clicks on the link
Clicca qui (Click here), will be redirected to an anomalous WEB page, unrelated to the
Crédit Agricole's official site, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals, who want to get hold of your most valuable data, in order to use them for illegal purposes.
April 2, 2024 ==> Phishing Banco BPM
«SUBJECT: <
Attivazione obbligatoria per la Direttiva UE PSD2>
(Mandatory activation for the EU PSD2 Directive)
The following is another phishing campaign, that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well-known national banking institution, in this case BANCO BPM. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his data, and fall into a social engineering trap.

The message alerts the unsuspecting recipient that, to ensure compliance with the EU PSD2 Directive, he or she is required to activate and authorize online credit card payments.
He/she is then urged to take the necessary steps immediately by clicking on:
Accedi (Log in)
We can see right away that the alert message comes from an e-mail address <
autoreply76(at)sbardilat(dot)colognegolfer(dot)de>, that is very suspicious and contains a very generic text, although the cybercriminal had the graphic foresight to include the well-known
BANCO BPM logo, that could mislead the user.
The purpose is to get the victim to log in to his/her home banking account.
Anyone who unluckily clicks on the link
Accedi (Log in), will be redirected to an anomalous WEB page, unrelated to the official site of BANCO BPM.
From the side image we can see that the web page is graphically well done, and quite well simulates the official website of the banking portal.
We also observe different Restricted Areas, according to the type of user who should log in: (YouWeb/ YouBusinessWeb/Tesoreria Enti) (YouWeb/ YouBusinessWeb/ Entity Treasury). All these elements have the aim of further reassuring the user about the truthfulness of the portal, although many links do not lead to any of the expected pages.
Given these considerations, we urge you to pay close attention to any misleading details, and keep in mind that before proceeding to enter sensitive data - in this case, home banking credentials i.e., Holder Code and PIN - it is crucial to analyze the url address of the authentication form.
The landing page in this case is hosted on the url address:
hrrps://gruppo[-]bancobpm[-]account[.]id98xxx758.com...
which is unrelated to the official website of the well-known banking institution.
This deceptive page/ WEBSITE is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use it for malicious purposes.
April 1, 2024 ==> Phishing Zimbra
SUBJECT: <
Supporto del servizio di assistenza Zimbra.>
(Zimbra service support)
This month we find a new phishing attempt, pretending to be a communication from the
Zimbra brand.
The message informs the recipient, that the latest IP security updates, have detected illegal attempts to access his/her e-mail account. Therefore, it is necessary to validate the account before it is blocked, i.e., within 24 hours.
The user is therefore invited to log in to his account through the following link:
Verifica (Verify)
Clearly, the well-known
Zimbra application software company is unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Analyzing the text of the message, we notice right away that the sender's e-mail address <
julius(dot)rusanganwa(at)rtda(dot)gov(dot)rw>, is not from the official
domain of Zimbra.
Anyone who unluckily clicks on the link, will be redirected to the displayed page.
The page where the user is redirected. is graphically well laid out and might lead the unsuspecting user to believe s/he is on the
Zimbra page.
It is, however, hosted on an anomalous address/domain, that is not traceable to the official
Zimbra's domain, and which we report below:
https[:]//firebasestorage[.]googleapis[.]com/v0/b/mmmmmuurrtte[.]appspot[.]com.....
Therefore, we urge you not to be in a hurry and to remember that in case of these cyber fraud attempts, it is necessary to pay attention to every detail, even trivial ones.
By proceeding to enter the requested data, specifically credit card details, these will be delivered to the cyber-criminals creators of the scam who will use them for criminal purposes.
A little bit of attention and glance, can save a lot of hassles and headaches...
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
We invite you to check the following information on phishing techniques for more details:
04/03/2024 10:42 - Phishing: the most common credential and/or data theft attempts in March 2024..
06/02/2024 08:55
- Phishing: the most common credential and/or data theft attempts in February 2024...
02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in January 2024...
11/12/2023 09:39 - Phishing: the most common credential and/or data theft attempts in December 2023...
03/11/2023 08:58 - Phishing: the most common credential and/or data theft attempts in November 2023...
03/10/2023 16:35 - Phishing: the most common credential and/or data theft attempts in October 2023...
05/09/2023 10:35 - Phishing: the most common credential and/or data theft attempts in September 2023...
01/08/2023 17:33 - Phishing: the most common credential and/or data theft attempts in August 2023...
03/07/2023 10:23 - Phishing: the most common credential and/or data theft attempts in July 2023...
07/06/2023 15:57 - Phishing: the most common credential and/or data theft attempts in June 2023...
03/05/2023 17:59 - Phishing: the most common credential and/or data theft attempts in May 2023...
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April 2023...
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
- it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
- Download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices
VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer)..
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.
You can upgrade to the PRO version by purchasing it directly from our website=> click here to order
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.
How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
TG Soft's C.R.A.M. (Anti-Malware Research Center)