03/04/2024
10:23

Phishing: the most common credential and/or data theft attempts in APRIL 2024


Find out the most common phishing attempts you might encounter and avoid.

PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in April 2024:


22/04/2024 => Tiscali
18/04/2024 => Crédit Agricole
17/04/2024 => Altroconsumo
15/04/2024 => MailBox
14/04/2024 => BRT
09/04/2024 => WeTransfer
06/04/2024 => Aruba - Avviso di fattura scaduta (Overdue invoice notice)
05/04/2024 => Aruba - Rinnova il dominio (Renew your domain)
05/04/2024 => BRT
03/04/2024 => Crédit Agricole
02/04/2024 => Banco BPM
01/04/2024 => Zimbra

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

April 22, 2024 ==> Phishing Tiscali

SUBJECT: <?Riattivare immediatamente il tuo account per evitarne la chiusura ******> (?Reactivate your account immediately to prevent its closure ******)

We analyze below a new phishing attempt that aims to steal TISCALI account login credentials.

Clicca per ingrandire l'immagine della falsa e-mail di Tiscali che cerca di indurre il ricevente a inserire le credenziali di accesso all'account.
The message informs the recipient that his account has been deactivated, then invites him to reactivate his account independently, including the reactivation of any previously deleted domains. The user can act through the following link:

RIATTIVARE ORA
(REACTIVATE NOW)

When we analyze the email, we see that it comes from an email address <assis[at]abv[dot]bg> not  traceable to the official TISCALI domain. This is definitely anomalous and should, at the very least, make us suspicious.
Clicca per ingrandire l'immagine del falso sito di TISCALI, dove viene richiesto di inserire le credenziali dell'account personale.
Anyone who unluckily clicks on the link RIATTIVARE ORA (REACTIVATE NOW), will be presented with the screen shown on the side image.
As we can see, we are redirected to a site that graphically simulates the TISCALI account login page. However, it is hosted on an anomalous address/domain, which we report below:

https[:]//https-selfcare-tiscali-it-unit-ecare-it-mytiscali[.]weebly[.]com/#email****

Given these considerations, we point out that you should NEVER enter your credentials on sites whose origin you do not know, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.


April 17, 2024 ==> Phishing Altroconsumo

SUBJECT: <A soli 2€ per 2 mesi Friggitrice ad ARIA in REGALO conferma Ora > (Only 2€ for 2 months AIR fryer for FREE confirm now)

Below we analyze an attempt at fraud that lies behind a false communication by Altroconsumo, the well-known consumer organization, whose goal is to give information about products and protect consumers.

Clicca per ingrandire l'immagine del falsa e-mail che sembra provenire da Altroconsumo, che informa della possibilità di vincere un premio...in realtà si tratta di una TRUFFA!
It is a promotional message that seems to offer an unmissable opportunity. By becoming a member with this promotion, the consumer can get an air fryer for only 2 Euro for 2 months...or at least so it seems.

Certainly for many inexperienced users this is a real decoy.
Clearly Altroconsumo is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.


Analyzing the email, we notice that the message comes from an email address <blog[at]flash[dot]centronews[dot]net> not traceable to the official domain of Altroconsumo . This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link provided, here is what happens:
 
Clicca per ingrandire l'immagine del falso sito di Altroconsumo che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
we are redirected to a landing page that, although graphically well done (with misleading images and the authentic logo of Altroconsumo), does not seem trustworthy at all, as it is hosted on an anomalous address/domain. Here is the page:

"https[:]/offerta-altroconsumo[.it/friggitrice-2024/.....''

which is not from the official domain of Altroconsumo.


For new members of Altroconsumo there is an unmissable offer going on: for only 2 euros for 2 months you can get access to all the association's services, and you also receive an air fryer as fantastic prize. When we click on Approffitto dell'offerta (I Take advantage of the offer), we are taken to the next screens, where we are asked to answer some simple questions.

Here specifically is question 1. These are very general questions and request for the consumer's personal information, such as gender (Male or Female), first and last name, and e-mail address.
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
After the questions are completed, in order to become a member of Altroconsumo, you must provide your address information to receive the magazines and especially the fantastic prize: the Air Fryer!
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!

This is it: by clicking  Continuare (Continue), we are taken to the last screen. Here we are prompted to enter our bank details to pay for the trial period of 2 Euros for 2 months, to become a member of Altroconsumo. We can then receive our prize at home.    

Clicca per ingrandire l'immagine del falso sito di Altroconsumo dove viene richiesto di inserire i proprii dati bancari per ricevere il premio...
The page hosting the data entry form looks graphically well done and misleading. It is outlined what is included for Altroconsumo members, such as "Le riviste di Altroconsumo direttamente a casa tua" (Altroconsumo magazines direct to your door); "Accesso ai comparatori di prodotti online", (Access to online product comparators); "Consulenza legale telefonica gratuita", (Free telephone legal advice); and "Scopri il programma Vantaggi Extra per accedere a un mondo di sconti", (Discover the Extra Benefits program to access a world of discounts).
In fact, the purpose of cyber criminals is precisely to trick you into entering your sensitive data and, in this case, your bank account data!

The page you are redirected to, for the entry of your personal data, is hosted on the following anomalous address/domain:

https[:]//offerta-altroconsumo[.]it/friggitrice-2024/iban?click_id=2mj9a3hns3eb3ir....

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, in this way your most valuable data are placed in the hands of cyber crooks, who can use them at will.


April 15, 2024 ==> Phishing Mailbox Almost Full

SUBJECT: <Mailbox Size Limit Exceeded For *****>

We analyze below another phishing attempt, that aims to steal email account login credentials.

Clicca per ingrandire l'immagine della falsa e-mail che cerca di indurre il ricevente a inserire le credenziali di accesso all'account di posta elettronica.

The message, in English, informs the recipient that the storage space on his e-mail account is limited, and therefore some incoming messages are rejected. It invites him to solve this minor technical problem by increasing the storage space, via the link below:


VALIDATE NOW

When we analyze the e-mail, we notice that the message comes from an e-mail address unrelated to the e-mail server <info(dot)cibl-digital(dot)com>, and therefore does not come from the official domain of the mailbox.

Anyone who unluckily clicks on the link VALIDATE NOW, will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.


April 9, 2024 ==> Phishing WeTransfer

SUBJECT: <file>

We analyze below the phishing attempt that aims to steal WeTransfer account credentials
Clicca per ingrandire l'immagine della falsa e-mail di WeTransfer, che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso all'account.

The message, in English, informs the recipient that he has received 1 file and can download it for viewing. It then invites him to log in to download the file, via the following link:

Get your files

When we analyze the email, we notice that the message comes from an email address <q4b404fa140af48168b32aefff(at)Hochster(dot)com(dot)eg> not traceable to the domain of WeTransfer.
This is definitely anomalous and should, at the very least, make us suspicious.

Clicca per ingrandire l'immagine del falso sito contraffatto che chiaramente non ha nulla a che vedere con la Webmail...
Anyone who unluckily clicks on the Get your files link, will be redirected to an anomalous WEB page, which is graphically well laid out, for the download of the referenced PDF/Docx file.
We report the page below:

https[:]//centralmoto[.]cl/Conexion/main[.]html....

We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.



April 6, 2024 ==> Phishing Aruba - Rinnova il dominio (Renew your domain)

SUBJECT: <Aruba.it - Avviso di fattura scaduta 06/04/2024> (Aruba.it - Overdue invoice notice 04/06/2024)

Phishing attempts, pretending to be communications from the Aruba brand, continue this month.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che induce l'utente ad effettuare il rinnovo del dominio, ma in realtà è una TRUFFA!
The message notifies the recipient that his domain hosted on Aruba, linked to his e-mail account, will expire on 06/04/2024. It then warns him to manually renew his services to avoid the deletion of the account and thus the deactivation of all services associated with it, including the mailboxes (and therefore the chance to receive and send messages).
It then invites the user to pay the indicated invoice no."123653914" of Euro 4.37 to renew the services, through the following link:

RINNOVA IL TUO DOMINIO (RENEW YOUR DOMAIN)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal is always to steal sensitive data of the unsuspecting recipient.

In order to induce the victim to renew his mailbox in a timely manner, the expiration date of 06/04/2024 is indicated. The technique of stating a deadline to conclude the procedure is intended to scare the user  and to push him/her to act immediately and without much thought.

Anyone who unluckily clicks on the link  RINNOVA IL TUO DOMINIO (RENEW YOUR DOMAIN),will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE.
Although the user may be prompted by haste and fear of mailbox suspension to complete the task quickly, we always urge you to pay close attention to every detail, even trivial ones.
If we enter our data into counterfeit websites, they will be delivered to the cyber-criminals behind the scam, who will use them for malicious purposes.

April 5, 2024 ==> Phishing Aruba - Rinnova il dominio (Renew your domain)

SUBJECT: <Rinnova il tuo dominio ****** in scadenza> (Renew your expiring ****** domain)

Phishing attempts pretending to be communications from the Aruba brand, continue this month.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che induce l'utente ad effettuare il rinnovo del dominio, ma in realtà è una TRUFFA!
The message notifies the recipient that his/her domain hosted on Aruba, linked to his e-mail account, will expire on 06/04/2024. It then warns him/her to manually renew his services to avoid the deletion of the account and thus the deactivation of all services associated with it, including the mailboxes, (and therefore the chance to receive and send messages).
It then invites the user to complete the renewal order, by choosing the most convenient payment method, through the following link:

RINNOVA CON UN CLIC  (RENEW WITH A CLICK)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba is unrelated to the mass sending of these e-mails, which are real scams, whose goal is always to steal sensitive data of the unsuspecting recipient.

Analyzing the message, we notice right away that the sender's e-mail address <communications-aruba(at)dronepops[.]com>, is not from Aruba's official domain.


In order to induce the victim to proceed with the timely renewal of his/her mailbox, the expiration date of 06/04/2024 is indicated. Since the e-mail was delivered on 05/04/2024, there is not much time left to carry out the renewal and prevent the deactivation of services.
The user is then proposed to activate automatic renewal to get rid of deadlines, and avoid thinking about service renewals. The procedure is simple and can be activated from the following link::

ATTIVA RINNOVO AUTOMATICO  (ACTIVATE AUTOMATIC RENEWAL)

Anyone who unluckily clicks on the link RINNOVA CON UN CLIC (RENEW WITH A CLICK), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.

April 5, 2024 ==> Phishing BRT

SUBJECT: <Il tuo pacco è stato bloccato a causa di un indirizzo di consegna errato.> (Your package was held up because of an incorrect delivery address)

The phishing attempt behind a false communication from BRT's service, concerning the delivery of an alleged package, continues this month.

Clicca per ingrandire l'immagine della falsa e-mail di BRT che informa il ricevente che il suo pacco è in giacenza e lo invita a riprogrammare la consegna, ma in realta' si tratta di una TRUFFA!
The message, reproduced on the side, refers to a shipment delivered to the BRT point, but due to an incomplete recipient address, the package will be returned to the sender. It then notifies the unsuspecting recipient that he can request redelivery of the package by filling out the request form from the website, by clicking on the following link:

Controlla il tuo pacchetto  (Check your package)

The message seems to come from the BRT courier company and, to make it more trustworthy, the well-known logo has been included; however, no identifying information about the shipment (such as the order number or tracking reference) is given. In addition, the alert message comes from an e-mail address <support(at)authentication(dot)aibiztools(dot)com> certainly not from the official domain of BRT. Clicca per ingrandire l'immagine del falso sito del corriere BRT dove si dovrebbe riprogrammare una spedizione in sospeso ma che in realtà è una TRUFFA!The purpose is clearly to get the user to click on the proposed link, which redirects to a web page designed to steal the victim’s sensitive data.
Let's analyze it in detail below.


From the link in the message we are redirected to a web page that simulates the official site of BRT. Although the site is graphically well done and includes the tracking number of the supposedly in-stock package <SH458378ZIT>,  the url address <<https[:]//rcq[.]vvg[.]mybluehost[.]me/brt[.]it/myBRT/home/paket[.]php>> is anomalous and not traceable to BRT.


When we click on  Pianifica una nuova consegna  (Schedule a new delivery), we are redirected to a new screen where we are prompted to indicate our desired delivery.
 
Clicca per ingrandire l'immagine del falso sito del corriere BRT dove si dovrebbe riprogrammare una spedizione in sospeso ma che in realtà è una TRUFFA!
We then select the date and click Continua (Continue). Now we are presented with a screen prompting us to update our parcel delivery information.
Clicca per ingrandire l'immagine del falso sito del corriere BRT dove si dovrebbe riprogrammare una spedizione in sospeso ma che in realtà è una TRUFFA!

 
Clicca per ingrandire l'immagine del falso sito del corriere BRT dove viene richiesto di inserir ei dati della carta di credito per pagare una spedizione in sospeso, ma che in realtà è una TRUFFA!
HERE IS THE SURPRISE! After clicking Continua  (Continue), we are in fact redirected to a data-entry FORM, that requires our credit card information to pay the shipping costs of the package.

The form page has the following url address: <<https[:]//rcq[.]vvg[.]mybluehost[.]me/brt[.]it/myBRT/home/tarjeta[.]php>> totally untrustworthy and not related to BRT at all.
The purpose is to induce the user to enter his personal information.

To conclude, we always urge you to be wary of any email that asks you to enter confidential data, and avoid clicking on suspicious links, which could lead to a counterfeit site difficult to distinguish from the original one. In fact in this way your most valuable data are put in the hands of cyber crooks and can be used for malicious purposes.

April 3, 2024 ==> Phishing Crédit Agricole

SUBJECT: < Importante: Azione richiesta per mantenere attivi i tuoi servizi online > (Important: Action required to keep your online services active)
 
Below we analyze the following phishing attempt, that comes as a fake communication from Crédit Agricole, the well-known French banking institution.

Clicca per ingrandire l'immagine della falsa e-mail di Credit Agricole, la Banca online che cerca di rubare i dati sensibili del destinatario...
The message informs the recipient that, as a result of updates of the bank’s system, he/she is asked to update his data to avoid suspension of online services.
It then invites the user to log in to update his/her data, via the following link:

Clicca qui (Click here)

Analyzing the message, we notice right away that it comes from an e-mail address not referable to the official domain of Crédit Agricole,<info(at)vascuion(dot)com>. We should always pay close attention before clicking on suspicious links.

Anyone who unluckily clicks on the link Clicca qui (Click here), will be redirected to an anomalous WEB page, unrelated to the Crédit Agricole's official site, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals, who want to get hold of your most valuable data, in order to use them for illegal purposes.


April 2, 2024 ==> Phishing Banco BPM

«SUBJECT: <Attivazione obbligatoria per la Direttiva UE PSD2> (Mandatory activation for the EU PSD2 Directive)

The following is another phishing campaign, that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well-known national banking institution, in this case BANCO BPM. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his data, and fall into a social engineering trap.

Clicca per ingrandire l'immagine della falsa e-mail di Banco BPM, che cerca di rubare i dati dell'account...
The message alerts the unsuspecting recipient that, to ensure compliance with the EU PSD2 Directive, he or she is required to activate and authorize online credit card payments.
He/she is then urged to take the necessary steps immediately by clicking on:

Accedi
  (Log in)

We can see right away that the alert message comes from an e-mail address <autoreply76(at)sbardilat(dot)colognegolfer(dot)de>, that is very suspicious and contains a very generic text, although the cybercriminal had the graphic foresight to include the well-known BANCO BPM logo, that could mislead the user.

The purpose is to get the victim to log in to his/her home banking account.

Clicca per ingrandire l'immagine del falso sito contraffatto di BANCO BPM che chiaramente non ha nulla a che vedere con il noto istituto bancario...
Anyone who unluckily clicks on the link Accedi  (Log in), will be redirected to an anomalous WEB page, unrelated to the official site of BANCO BPM.
From the side image we can see that the web page is graphically well done, and quite well simulates the official website of the banking portal.

We also observe different Restricted Areas, according to the type of user who should log in: (YouWeb/ YouBusinessWeb/Tesoreria Enti) (YouWeb/ YouBusinessWeb/ Entity Treasury). All these elements have the aim of further reassuring the user about the truthfulness of the portal, although many links  do not lead to any of the expected pages.

Given these considerations, we urge you to pay close attention to any misleading details, and keep in mind that before proceeding to enter sensitive data - in this case, home banking credentials i.e., Holder Code and PIN - it is crucial to analyze the url address of the authentication form.
The landing page in this case is hosted on the url address:

hrrps://gruppo[-]bancobpm[-]account[.]id98xxx758.com...


which is unrelated to the official website of the well-known banking institution.

This deceptive page/ WEBSITE is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use it for malicious purposes.
 

April 1, 2024 ==> Phishing Zimbra

SUBJECT: <Supporto del servizio di assistenza Zimbra.>(Zimbra service support)

This month we find a new phishing attempt, pretending to be a communication from the Zimbra brand.

Clicca per ingrandire l'immagine della falsa e-mail di Zimbra che induce l'utente ad effettuare l'aggiornamento del proprio account, ma in realtà è una TRUFFA!
The message informs the recipient, that the latest IP security updates, have detected illegal attempts to access his/her e-mail account. Therefore, it is necessary to validate the account before it is blocked, i.e., within 24 hours.

The user is therefore invited to log in to his account through the following link:

Verifica (Verify)

Clearly, the well-known Zimbra application software company is unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Analyzing the text of the message, we notice right away that the sender's e-mail address <julius(dot)rusanganwa(at)rtda(dot)gov(dot)rw>, is not from the official domain of Zimbra.

Anyone who unluckily clicks on the link, will be redirected to the displayed page.

Clicca per ingrandire l'immagine del falso sito di Zimbra dove viene richiesto di effettuare la login al proprio acount..in realtà si tratta di una TRUFFA!
The page where the user is redirected. is graphically well laid out and might lead the unsuspecting user to believe s/he is on the Zimbra page.
It is, however, hosted on an anomalous address/domain, that is not traceable to the official Zimbra's domain, and which we report below:

https[:]//firebasestorage[.]googleapis[.]com/v0/b/mmmmmuurrtte[.]appspot[.]com.....

Therefore, we urge you not to be in a hurry and to remember that in case of these cyber fraud attempts, it is necessary to pay attention to every detail, even trivial ones.
By proceeding to enter the requested data, specifically credit card details, these will be delivered to the cyber-criminals creators of the scam who will use them for criminal purposes.

A little bit of attention and glance, can save a lot of hassles and headaches...

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on phishing techniques for more details:

04/03/2024 10:42 - Phishing: the most common credential and/or data theft attempts in  March 2024..
06/02/2024 08:55Phishing: the most common credential and/or data theft attempts in  February 2024...
02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in  January 2024...
11/12/2023 09:39 -
Phishing: the most common credential and/or data theft attempts in  December 2023...
03/11/2023 08:58 - 
Phishing: the most common credential and/or data theft attempts in November 2023...
03/10/2023 16:35 - 
Phishing: the most common credential and/or data theft attempts in October 2023...
05/09/2023 10:35 - 
Phishing: the most common credential and/or data theft attempts in September 2023...
01/08/2023 17:33 - 
Phishing: the most common credential and/or data theft attempts in August 2023...
03/07/2023 10:23 - 
Phishing: the most common credential and/or data theft attempts in July 2023...
07/06/2023 15:57 - 
Phishing: the most common credential and/or data theft attempts in  June 2023...
03/05/2023 17:59 - Phishing: the most common credential and/or data theft attempts in  May 2023...
05/04/2023 17:34 - Phishing: the most common credential and/or data theft attempts in April 2023...

 
Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite has the following special features:
  •  freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
  • it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
  • through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
  • Download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
 

VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer)..
 

VirIT Mobile Security l'Antimalware di TG Soft per Android(TM)

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.

 
You can upgrade to the PRO version by purchasing it directly from our website=> click here to order



Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.



How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
  1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.



TG Soft's C.R.A.M. (Anti-Malware Research Center)

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: