03/05/2024
11:56

Phishing: the most common credential and/or data theft attempts in MAY 2024...


Find out the most common phishing attempts you might encounter and avoid.

PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in May 2024:

31/05/2024 => Aruba
22/05/2024 => GruppoBCC
22/05/2024 => Smishing  Banco BPM
20/05/2024 => Smishing ING Direct
19/05/2024 => LIDL
14/05/2024 => BRT
09/05/2024 => Istituto Bancario (Bank)
08/05/2024 => Shein
07/05/2024 => Aruba
03/05/2024 => iCloud
02/05/2024 => Aruba - Dominio in scadenza (Expiring domain)
02/05/2024 => PosteItaliane - Pacco in sospeso (Pending package)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.



May 22, 2024 ==> Phishing Gruppo BCC (BCC Group)

SUBJECT: <Problema di sicurezza! > (Security issue!) 


We find again this month the phishing campaign that spreads through an e-mail exploiting stolen graphics, or similar to the graphics of a well-known national banking institution. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to do what requested, and fall into a social engineering trap.

Clicca per ingrandire l'immagine della falsa e-mail di un noto Istituto Bancario, che cerca di rubare i dati dell'HomeBankingt...

The message alerts the unsuspecting recipient that, because of a security problem, the new changes must be applied to avoid losing access to the portal. It is then necessary to click on the proposed link: RELAXBANKING.IT/SICUREZZA
We see from the outset that the alert message has an address <info(at)relaxing(dot)it> which, though deceptive, is not referable to the true domain of GRUPPO BCC. Moreover it contains very general text, albeit the cybercriminal had the graphic foresight to include the well-known logo, that could mislead the user.

The purpose is to get the victim to log in, and renew the activation of his or her banking app,
through the following link: RELAXBANKING.IT/SICUREZZA.
Clicca per ingrandire l'immagine del falso sito contraffatto che chiaramente non ha nulla a che vedere con il noto istituto bancario...
Anyone who unluckily clicks on the link RELAXBANKING.IT/SICUREZZA, will be redirected to an anomalous WEB page, which is unrelated to the official website of the well-known Banking Institution.

From the image shown on the side, we can see that the web page is graphically well designed, and quite well simulates the official website of the banking portal...all with the aim of further reassuring the user about the truthfulness of the portal.
Given these considerations, we urge you to pay close attention to any misleading details, and  remeber that is crucial, before entering sensitive data - in this case, home banking credentials i.e., User Code and Password - to analyze the url address of the authentication form.

The landing page, in this case, is hosted on the url address:

https://dvcargo[.]ru/it/relaxit/

which is unrelated to the official website of the well-known banking institution.

This DECEPTIVE PAGE/SITE is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use it for malicious purposes.



May 22, 2024 ==> Smishing Banco BPM  

We analyze below two smishing attempts, spread through fake text messages by Banco BPM, trying to pass themselves off as an official communication, in order to induce the unsuspecting recipient to do what requested, and fall into a social engineering trap. 

ESEMPIO 1
ESEMPIO 2

In the messages above, the victim is notified that an expenditure has been requested from his/her bank account, in the amount of Euro 1,280.00.
He/she is then asked to verify this payment request through the proposed link. We observe that the messages are similar; what changes is the landing site, which links back to two different url addresses:
 
"https://ehs**[.]site/accesso" e "https://t.**/youbusinessweb[.]bancobpm[.]it"

Clearly, if the recipient is not a customer of Banco BPM, he/she can more easily understand the anomaly of message. However the recipient is often actually  a customer of the banking institution, and the message is received in the chat room where codes are delivered to authorize credit card payments. Therefore, it is even more crucial to know how to recognize these, now widespread, attempts at computer fraud. Above all, we should remember that under no circumstances  banking institutions/payment circuits require customers to provide their payment card information through e-mail, text messages or call centers.

Clicca per ingrandire l'immagine del falso sito del Noto Istituto Bancario che cerca di indurre il malcapitato ad inserire le credenziali del suo account ma in realtà si tratta di una TRUFFA!
Back to the examples given we can see that, first of all, the text message received is very generic. In fact, there is no identifying information about the account holder under alert, something that should already be suspicious. Clearly, the cyber criminals' purpose is to lead the user to promptly click on the link to block the unauthorized payment.

As we can see from the image shown, the web page where you are redirected is really well designed, both graphically and textually, and simulates the official website of the banking institution, being quite misleading.
To further reassure the user about the authenticity of the page, the cyber-criminals had the foresight to include the authentic logo, and set up the page with the same graphics as the official website. 

The account management login page, however, is hosted on an anomalous address/domain, that is not traceable to the official domain of the banking institution. We report it below:
"https://ehs**[.]site/accesso"
o
"https://t.**/youbusinessweb[.]bancobpm[.]it"

Both links point to a web page, hosted on two different domains, which graphically look the same.

If we enter our login information on this FORM to log in, to your bank account, it will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.




May 20, 2024 ==> Smishing ING Direct

We analyze below a new smishing attempt, spread through a message, that simulates a communication from ING Direct.

Clicca per ingrandire l'immagine del falso sms giunto da ING Direct che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso a suo conto corrente.
It is an alert sms, notifying the recipient that his/her restricted area has been accessed from an anomalous device. A link is then given to block the suspicious user.

Certainly if the recipient is not actually an ING Direct customer, he/she can easier realize that  something is suspicious. But even if he or she were a bank customer, we should remeber that under no circumstances  banking institutions require customers' personal data - and especially home banking credentials - through SMS or e-mail.

In fact, we see that the purpose of the cyber criminals is to lead the user, alerted by the report of anomalous access, to quickly click on the link https://urlz[.]**/q**w.

The link, already at a glance, is not referable to the official website of the well-known banking institution; in fact, it redirects to a page that is unrelated to the official website of ING Direct. Let’s analyze it below in detail.

As we can see from the shown image, the web page where we are redirected by the link in the text message, simulates quite well the official website of ING Direct, and is set up in a reasonably deceptive way for an inexperienced user, both graphically and textually.

Clicca per ingrandire l'immagine del FALSO sito internet di ING Direct, che cerca di indurre il ricevente a inserire inizialmente dati sensibili con l'obiettivo di rubare poi le credenziali del conto corrente online
In fact, to reassure the user about the authenticity of the page, the cyber-criminals had the foresight to insert the authentic logo of ING Direct and to set the page with the same graphics as the official website

When we click on Accedi (Sign In), we are prompted to enter credentials to self-identify, especially the Client Code and Phone Number.
Most likely, after this first identification step, if we click on Continua (Continue), another screen will follow, requesting sensitive data. The true goal of the scammers, of course, remains to steal home banking access codes.
Although the authentication FORM seems to be well designed, we urge you to pay particular attention to the url address of the account management login page.
This is in fact hosted on an address/domain unrelated to ING Direct.
If we enter our personal information to log in to our ING Direct checking account, it will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.

To conclude, we always urge you to be wary of any form requesting the entry of confidential data, and avoid clicking on suspicious links that may lead to a counterfeit site difficult to distinguish from the original one. If you are unsure about the origin of the website, your bank account login information, credit card information or other sensitive data should not be entered under any circumstances, otherwise you are putting your most valuable data in the hands of cyber crooks who would use it at their will.


May 19, 2024 ==> Phishing LIDL

SUBJECT: <Re: 'Hai vinto un KitchenAid' > (Re: 'You won a KitchenAid')

Below we analyze the scam attempt behind a false communication, that exploit the well-known company LIDL.

Clicca per ingrandire l'immagine del falsa e-mail che sembra provenire da LIDL, che informa della possibilità di vincere un premio...in realtà si tratta di una TRUFFA!
It is a promotional message that seems to offer an unmissable opportunity. The lucky user has been selected to participate in a loyalty program, through a survey, that will allow him/her to win a prize: brand new KitchenAid...or so it seems.
Certainly behind this phishing there is a real decoy for many inexperienced users.
Clearly LIDL is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the email, we notice that the message comes from an email address <nw102534[at]stuwk[dot]com> not traceable to the official domain of LIDL . This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link provided, here is what happens:

 
Clicca per ingrandire l'immagine del falso sito di LIDL che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
We are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of LIDL), does not seem trustworthy at all.
In fact, the survey to obtain the prize, is hosted on the following anomalous address/domain:

"https[:]//hangardores[.]cfd/1105.....''

which has no connection with LIDL.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey, by making him/her believe that only few people can win, and the gifts are about to run out. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

When we click on LO VOGLIO (I WANT IT), we are taken to the next screens, where we are asked to answer 8 questions.

Here is specifically question 1/8. These are very general questions focused on the degree of satisfaction with the services offered by LIDL, and on the daily habits of consumers. Here, too, there is a countdown to prompt the user to quickly finish the process for the award.
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
At the end of the survey we can finally claim our prize: a KitchenAid Stand Mixer that would be worth 1101,61 Euros but costs us 0..
We only have to pay shipping costs, which are supposed to be small.
But let's hurry. There seem to be only 2 left in stock...
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!

''Congratulazioni! Abbiamo riservato (1) KitchenAid Stand Mixer esclusivamente per te.''
(Congratulations!!! We have reserved (1) KitchenAid Stand Mixer exclusively for you.')


Here we go: in fact, all you need to do is to enter your shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered......

Clicca per ingrandire l'immagine del falso sito di LIDL dove vengono indicate le istruzini per ricevere il premio...
To give more credibility, many comments from customers who supposedly participated in the survey, have been reported. These are all confirming testimonials/feedback about the actual delivery of the winnings, ensuring that it is not really a scam.....
Surely if so many users were lucky why not try your luck?!
Clicca per ingrandire l'immagine del falso sito di LIDL dove sono riportate alcune recensioni di utenti che effettivamente hanno ottenuto il premio...ma che in realtà è una TRUFFA!
Then, when we click on Continua (Continue), we are sent to a further page, to enter our shipping address and pay shipping costs.  
The page hosting the data entry form, however, has already been flagged as a deceptive WEBSITE/PAGE... The purpose of cyber criminals is to induce the victim to enter his/her sensitive data. Therefore the user, to complete the purchase, will be asked to pay shipping costs, though modest, by entering his/her credit card details.
The page where we are redirected, to enter our personal data, is hosted on an abnormal address/domain, which we report below:

https[:]//holdcXXp[.]com/?sxid.....


To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, in this way your most valuable data are placed in the hands of cyber crooks, who can use them at will.



May 14, 2024 ==> Phishing BRT

SUBJECT: <Il tuo pacchetto Nr. US356791 con il seguente prodotto non puo essere consegnato (Your package No. US356791 with the following product cannot be delivered)

We analyze below a new phishing attempt hidden behind a false communication from the well-known express courier BRT.
Clicca per ingrandire l'immagine della mail proveniente apparentemente da BRT che informa il ricevente di una spedizione in sospeso ma  che si tratta di una TRUFFA!
The message, which we quote on the side, refers to an undelivered shipment, due to absence of the recipient.
 In order to unlock the shipment, we are requested to reconfirm the address, with a click on one of the provided links.

The first red flag about the authenticity of the alert, is the origin of the message. In fact the sender is ambiguous and  not  traceable to BRT courier company, supposedly entrusted with the shipment. On the other hand, in order to mislead the user, an alleged order number ''package No. US356791'' was reported, as well as a TRACKING ID with a link for tracking verification. But it is bogus.
The purpose clearly is to get the user to click on one of the several links provided, especially:

CONTROLLA QUI (CHECK HERE)

which connects to a web page that has, as always, the goal of inducing the user to enter his/her sensitive data.
Let's analyze it in detail below.


From the link on the message, we are redirected to a page that simulates the official BRT courier site. The graphically poorly designed page refers to (1) pending message, and prompts to further click on Conferma (Confirm). We also observe that the url address is anomalous and not traceable to BRT.  
Clicca per ingrandire l'immagine del falso sito del corriere BRT dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!

A first screen shows a precise tracking code  (29194772). If we click on  Pianifica la consegna (Schedule Delivery), we get information about the package, especially the status. Unlike what reported in the email, the package seems to be pending at the distribution center due to missing customs fees of Euro 1.95, and not for the recipient's absence... a highly suspicious fact. The url address, again anomalous, remains unchanged: https://orchidcorp[.]world/801...      
 
Clicca per ingrandire l'immagine del falso sito del corriere BRT dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!
 

Then, by clicking on Pianifica la consegna ora (Schedule Delivery Now), we are asked to indicate the method for the new delivery, followed by a request to specify the days we prefer it.
 
Clicca per ingrandire l'immagine del falso sito del corriere BRT dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!

Here we are finally at the conclusion of the shipment rescheduling procedure, which should end with the data confirmation. In order for delivery to take place, however, payment of shipping charges is required... 
 
Clicca per ingrandire l'immagine del falso sito del corriere BRT dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!

Clicca per ingrandire l'immagine del falso FORM dove si viene dirottati per sbloccare una spedizione in sospeso che chiede l'inserimento dei dati della carta di credito! Si tratta di una TRUFFA!
Here's the surprise.
In fact, after clicking on  Inserisci le informazioni di consegna (Enter Delivery Information), we are redirected to a data entry FORM that requires - in addition to ''Nome'' (First Name), ''Cognome'' (Last Name), ''Indirizzo'' (Address), ''Numero di telefono'' (Phone Number), ''E-Mail'' - our credit card information, to pay as much as €9.99 (wasn't it supposed to be only €1.99?!) for shipping costs.

We notice that the form page has a different url from the page seen above, but which is, in any case, completely untrustworthy and absolutely unrelated to BRT or to any known payment circuits.
The purpose is to prompt the user to enter his/her personal data.
On the side we show in detail the screenshot of the completion form.

To conclude, we always urge you to be wary of any email that asks you to enter confidential data, and avoid clicking on suspicious links, which could lead to a counterfeit site difficult to distinguish from the original one. In fact in this way your most valuable data are put in the hands of cyber crooks, and can be used at will.   

May 9, 2024 ==> Phishing Istituto Bancario (Bank)

SUBJECT <Importante: attivare il nuovo sistema di sicurezza > (Important: activate the new security system)

We find again this month the phishing campaign that spreads through an e-mail, exploiting stolen graphics or similar to the graphics of a well-known national banking institution. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to enter his/her data, and fall into a social engineering trap.
Clicca per ingrandire l'immagine della falsa e-mail di un noto Istituto Bancario, che cerca di rubare i dati dell'HomeBankingt...

The message notifies the unsuspecting recipient, that as of 12/05/2024, he/she will not be able to use his/her card, unless  the new web security system is activated. Without activation, he/she will no longer be able to use his/her card. The procedure is simple and takes only 3 minutes, using the following link:

Clicca qui (Click here)

We can see right away that the alert message comes from a very suspicious email address <******(at)update[-]del[-]account(dot)net>,  and contains a very generic text, although the cybercriminal had the graphic foresight to include the well-known logo of the banking institution, that could mislead the user.
The purpose is to get the victim to log in to his/her home banking account.

Clicca per ingrandire l'immagine del falso sito contraffatto che chiaramente non ha nulla a che vedere con il noto istituto bancario...
Anyone who unluckily clicks on the link Clicca qui (Click here), will be redirected to an anomalous WEB page, unrelated to the official site of the bank.
From the side image, we can see that the page is graphically well designed and quite well simulates the official website of the banking portal.
We also see other sub-menus, such as Persone e Famiglie (People and Families), Giovani (Youth), Business, which identify the type of user... all with the aim of further reassuring the victim about the truthfulness of the portal. However many of the links do not lead to the expected pages.
With this in mind, we urge you to pay close attention to any misleading details, and remember that before entering sensitive data - in this case, home banking credentials i.e., Holder Code and PIN - it is crucial to examine the url address of the authentication form.


In our example, the landing page is hosted on the following url address:

https[:]//santoshowers[.]com/it/APP1[.]217[.]198[.]140[.]128-732b28224b4f7...

which is unrelated to the official website of the well-known bank. 

This DECEPTIVE PAGE/SITE is run by cyber-criminals, whose goal is to get hold of your most valuable data, in order to use it for malicious purposes.



May 8, 2024 ==> Phishing Shein

SUBJECT: <Hai*Vinto..Una ScaTola**Misteriosa di SHEIN > (You*Won..A SHEIN Mysterious** Box)

Below we analyze a scam attempt hidden behind a false communication from the well-known company SHEIN.

Clicca per ingrandire l'immagine del falsa e-mail che sembra provenire da Shein, che informa della possibilità di vincere una scatola misteriosa...in realtà si tratta di una TRUFFA!
It is a promotional message presenting an opportunity to win a prize. The lucky user has been selected to participate in a survey, to win Shein's mystery box...or so it would seem.
Certainly for many inexperienced users behind this phishing there is a real decoy.
The well-known Chinese online sales site SHEIN, is clearly uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as usual, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the email, we see that the message comes from an email address <AG5GRSYJU47WFN[at]rolinfo[dot]de> not traceable to the official site of SHEIN. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link INIZIA IL SONDAGGIO (START THE SURVEY), here is what happens:
 
Clicca per ingrandire l'immagine del falso sito di SHEIN che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
we are redirected to a landing page that, although graphically well crafted (with misleading images and the authentic SHEIN logo), does not seem trustworthy at all.
In fact, the survey is hosted on the following anomalous address/domain...

"https[:]//vutida[.]opinionjet[dot]com/.......''

which has no connection with SHEIN.
The cybercriminals running the scam, in order to induce the user to quickly end the survey and obtain his/her sensitive data, pretend that the offer is about to expire. At the bottom of the screen there is also a countdown timer which, however, if reset to zero as simulated, would restart immediately thereafter.. rather weird.


If we click on INIZIA IL SONDAGGIO (START SURVEY), we are taken to the next screens, where we are asked to answer 8 questions.

Here specifically is question 1/8. These are, in fact, all very general questions focusing on the degree of satisfaction with the SHEIN shopping site and the products sold. We notice that the countdown timer is also present here, to prompt the user to quickly complete the process for the award.
Clicca per ingrandire il sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
After the survey is completed, we can finally claim our prize: Shein's Mystery Box which would be worth Euro 399.99 but costs us 0. We only have to pay shipping costs...which are supposed to be small.
Better hurry up and finish the procedure.
Clicca per ingrandire l'immagine al termine del sondaggio che permetterebbe di reclamare la consegna del premio...ma che in realtà è una TRUFFA!
To give greater credibility, many comments have also been reported, from customers who appear to have already participated in the survey, . These are all reassuring testimonials/feedback about the actual delivery of the winnings and, therefore, about the trustfulness of the message ....some of them are even documented with photos of the prize received.
If so many users were lucky why not try to claim the delivery?!
 
Clicca per ingrandire l'immagine del falso sito di SHEIN dove sono riportati alcuni commenti rassicuranti sulla possibile vincita...ma che in realtà è una TRUFFA!

Here we go: all we need to do is enter our shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered....
Clicca per ingrandire l'immagine del falso sito di SHEIN dove vengono indicate le istruzini per ricevere il premio...
Then we will be sent to a further page, as shown in the image below, to enter our shipping address and pay the shipping charges.
Clicca per ingrandire l'immagine del falso sito di SHEIN dove viene richiesto di inserire i propri dati per ricevere il premio...ma che in realtà è una TRUFFA!
The page, hosting the data-entry form, looks graphically well designed and misleading. Too bad that in order to complete the process, we need to pay the shipping costs, which, although modest, likely involve entering credit card information in order to finish the purchase.
In fact, the purpose of cyber criminals is precisely to trick you into entering your sensitive data and, in this case, your credit card data!

The page where you are redirected to, in order to enter your personal data, is hosted on a new abnormal address/domain, which we report below:

https[:]//getmobilemarvelhub[dot]click/....

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links which may lead to a counterfeit site. In fact, in this way your most valuable data are stolen by cyber crooks, who can use them at will.


May 7- 31, 2024 ==> Phishing Aruba - Rinnova il dominio (Renew your domain)

SUBJECT: <Il tuo dominio sta per scadere, rinnova subito> (Your domain is about to expire, renew now)

Phishing attempts, pretending to be communications from the Aruba brand, continue this month.
Clicca per ingrandire l'immagine della falsa e-mail di Aruba che induce l'utente ad effettuare il rinnovo del dominio, ma in realtà è una TRUFFA!
Clearly, the well-known web hosting, e-mail and domain registration services company, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as usual, to steal sensitive data of the unsuspecting recipient.
The message informs the user that his/her domain, hosted on Aruba, will expire soon, and there are three days left to renew it.
In case of non-renewal, on the expiration date of 09/5/2024, all domain services will be suspended, therefore the website will no longer be visible and the e-mail box will no longer be working. This block will last until the renewal is made.

The short time frame given for the renewal, is certainly intended to put pressure on the user who, driven by fear of e-mail blocking, acts immediately, without paying due attention. 

It is, in fact, a phishing attempt aimed to steal the personal data of unsuspecting users.
So keep an eye out... all it takes to avoid unpleasantness is a little attention and a quick glance.

In fact, analyzing the e-mail, we see that the sender <communications[-]aruba[at]adrocoaching[dot]it>, clearly cannot be traced back to Aruba's official domain, a very anomalous and suspicious fact.


The user, in order to renew, is asked to click on the following link:

https[:]//managehosting[.]aruba[.]it/Rinnovi.....''

Clicca per ingrandire l'immagine della videata che compare cliccando il link per il rinnovo...ma che in realtà è una TRUFFA!
Anyone who unluckily clicks on the link, will be redirected to a landing page unrelated to the official Aruba's domain, albeit the graphics are well designed.

The user is then invited to access his or her client area by entering username and password, to renew the domain and avoid the blocking of related services.

Although you may be prompted by haste and fear of mailbox suspension to complete the task quickly, we always urge you to pay close attention to every detail, even trivial ones.
If you enter our data into counterfeit websites, they will be delivered to the cyber-criminals behind the scam, who can use them for malicious purposes.


May 03, 2024  ==> iCloud

SUBJECT: <Avviso finale: le tue foto e i tuoi video verranno eliminati, agisci! > (Final warning: your photos and videos will be deleted, take action!)

Below we analyze the scam attempt hidden behind a fake communication from iCloud, a service provided by Apple that allows users to store photos, videos, and documents. The message warns users that their documents will soon be deleted.

Clicca per ingrandire l'avviso di spazio di archiviazione terminato...ma che in realtà è una TRUFFA!
Clearly iCloud is unrelated to the sending of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out... all it takes to avoid unpleasantness is a little attention and a quick glance.

Analyzing the e-mail, we see that the sender of the message is <elpais[at]newsletter[dot]elpais[dot]com> and invites a reply to <boletines[at]elpais[dot]es>. Both the e-mail addresses shown cannot be traced back to the official domain of iCloud, and this is a very anomalous and suspicious fact.

However, if we click on clicca qui (click here), we will be redirected to a page that, although graphically well designed, does not seem trustworthy at all. In fact, it is hosted on an anomalous address/domain, unrelated to the official domain of iCloud.
The page is:

"https[:]/guitarrunner[.]online/33.....''

In the image below a banner warns the user that his or her  iCloud storage space is full, and if he or she does not take action soon, photos, videos and  iCloud Drive account, will no longer update, and saved documents will be deleted. The user is then asked to continue in order to avoid the loss of all data. 

Clicca per ingrandire l'immagine dell'avviso spazio di archiviazione terminato...ma che in realtà è una TRUFFA!

When we click on Continua (Continue), a page will show how to prevent photos, videos, and documents from being lost forever.
In fact, with a loyalty program, we will only need to pay $1.95 to get an additional 50 GB of storage space. To join this special offer, we have to answer 3 simple and generic questions (such as the country of origin), that provide cyber criminals with information about the user.


Clicca per ingrandire il falso sito di iColud dove viene richiesto di rispondere a 3 domande per ricevere 50GB...ma che in realtà è una TRUFFA!
At the end of the questions, we can request the extra storage space to save all stored data. 

Clicca per ingrandire il falso sito di iColud dove dopo aver risposto a 3 domande si possono richiedere 50GB di spazio aggiuntivo...

Here we are: when we click on Continua  (Continue), we will be redirected to the last screen, where we are prompted to enter our personal information and pay $1.95 USD to get the additional 50 Gb of storage space. 

Clicca per ingrandire l'immagine su cui si viene rimandati per effettuare il pagamento di 1,95$...ma che in realtà è una truffa In fact, the purpose of cyber criminals is precisely to trick you into entering your sensitive data!

The page where we enter our data, is hosted on the following abnormal address/domain:

https[:]//gryoulucky[.]com/it/....

To conclude, we always urge you to be careful and avoid clicking on suspicious links that could lead to a counterfeit site, putting your most valuable data in the hands of cyber crooks, who can use it at their will.



May 2, 2024 ==> Phishing Aruba - Dominio in scadenza (Expiring domain)

SUBJECT: <Dominio **** in scadenza, perchè rinnovare?> (Expiring**** domain, why renew?)

Phishing attempts, pretending to be communications from the Aruba brand, continue this month.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che induce l'utente ad effettuare il rinnovo del dominio, ma in realtà è una TRUFFA!
The message informs the recipient that his/her domain hosted on Aruba, linked to his/her e-mail account, will expire on 03/05/2024. In order not to lose his/her domain and avoid account deletion, with the deactivation of all services associated with it - including email accounts – the account will only have to be renewed. In addition, automatic renewal of services can be activated in order to be worry-free.
The email then invites the user to access his/her personal area by entering login and password and pay, through the following link:

RINNOVA ORA CON UN CLICK  (RENEW NOW WITH A CLICK)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams, whose goal is always to steal sensitive data of the unsuspecting recipient.

To induce the victim to renew his or her mailbox in a timely manner, the expiration date of 03/05/2024 is indicated. The technique of stating a deadline to conclude the procedure, is intended to scare the user and to push him/her to act immediately and without much thought.

Anyone who unluckily clicks on the link RINNOVA ORA CON UN CLICK (RENEW NOW WITH A CLICK), will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE.
Although the user may be prompted by haste and fear of mailbox suspension, to complete the task quickly, we always urge you to pay close attention to every detail, even trivial ones.
If we enter our data into counterfeit websites, they will be delivered to the cyber-criminals behind the scam, who will use them for malicious purposes.



May 2, 2024 ==> Phishing PosteItaliane

SUBJECT: <IMPORTANTE!> (IMPORTANT!)

We find again this month the phishing attempt hidden behind a false communication from PosteItaliane, concerning the delivery of an alleged package.

Clicca per ingrandire l'immagine della falsa e-mail di BRT che informa il ricevente che il suo pacco è in giacenza e lo invita a riprogrammare la consegna, ma in realta' si tratta di una TRUFFA!
The message, which we reproduce on the side, refers to the delivery notification of a shipment that, due to unpaid shipping costs cannot be delivered. In order to receive the package, the recipient must pay shipping charges of €2 by clicking on the following link:

https[:]//pоstе[.]it/spedizione/RA20100253652IT

The message seems to come from PosteItaliane, however no identifying information about the shipment - such as order number or tracking reference - is given. In addition, the message comes from an e-mail address <support(at)ddosed(dot)be> obviously not traceable to the official domain of PosteItaliane. The purpose is clearly to lead the user to click on the proposed link, which redirects to a web page designed to steal the user’s sensitive data.

 
Clicca per ingrandire l'immagine della falsa e-mail di BRT che informa il ricevente che il suo pacco è in giacenza e lo invita a riprogrammare la consegna, ma in realta' si tratta di una TRUFFA!
From the link in the message we are directed to a web page, that simulates the official website of PosteItaliane. Although the site may be misleading because of the inclusion of the well-known PosteItaliane logo and the specification of the tracking number of the parcel <RA20100253652IT>, we observe that the url address is anomalous and not traceable to PosteItaliane:

<<https[:]//ylw[.]jru[.]mybluehost[.]me/pacchetto/it/9655>> 

To conclude, we always urge you to be wary of any email that asks for confidential data, and avoid clicking on suspicious links,which could lead to a counterfeit site that is difficult to distinguish from the original one, putting your most valuable data in the hands of cyber crooks for their own use.

A little bit of attention and glance, can save a lot of hassles and headaches...

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on phishing techniques for more details:


03/04/2024 10:23 - Phishing: the most common credential and/or data theft attempts in April 2024...
04/03/2024 10:42 - 
Phishing: the most common credential and/or data theft attempts in  March 2024..
06/02/2024 08:55Phishing: the most common credential and/or data theft attempts in  February 2024...
02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in  January 2024...
11/12/2023 09:39 - 
Phishing: the most common credential and/or data theft attempts in  December 2023...
03/11/2023 08:58 - 
Phishing: the most common credential and/or data theft attempts in November 2023...
03/10/2023 16:35 -
Phishing: the most common credential and/or data theft attempts in October 2023...
05/09/2023 10:35 - 
Phishing: the most common credential and/or data theft attempts in September 2023...
01/08/2023 17:33 -
Phishing: the most common credential and/or data theft attempts in August 2023...
03/07/2023 10:23 - 
Phishing: the most common credential and/or data theft attempts in July 2023..
07/06/2023 15:57 - 
Phishing: the most common credential and/or data theft attempts in  June 2023..
03/05/2023 17:59 - Phishing: the most common credential and/or data theft attempts in  May 2023...

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite
has the following special features:
  •  freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
  • it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
  • through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
  • Download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
 

VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

VirIT Mobile Security l'Antimalware di TG Soft per Android(TM)

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.

 

You can upgrade to the PRO version by purchasing it directly from our website=> click here to order



Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.



How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
  1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
.


TG Soft's C.R.A.M. (Anti-Malware Research Center)

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: