06/08/2024
14:50

Phishing: the most common credential and/or data theft attempts in AUGUST 2024.


Find out the most common phishing attempts you might encounter and avoid...

PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in August 2024:

30/08/2024 => Poste Italiane
28/08/2024 => Mediaworld
28/08/2024 => Amazon
22/08/2024 => Banca Popolare di Sondrio
16/08/2024 => Aruba - Verifica password (Password verification)
14/08/2024 => WalletConnect
12/08/2024 => BBVA
10/08/2024 => Nexi
08/08/2024 => Smishing Istituto di Credito (Credit Institution)
08/08/2024 => Account di Posta Elettronica (Email Account)
07/08/2024 => Europages
06/08/2024 => Esselunga
06/08/2024 => Mooney
06/08/2024 => Aruba - Fattura non pagata (Unpaid invoice)
05/08/2024 => Smishing - "Mamma ho perso il telefono" (Mum I lost my phone)

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.


August 30, 2024 ==> Phishing PosteItaliane

SUBJECT: <Important: Activate the new security system> (Important: Activate the new security system)

We find again this month the phishing attempt spreading through a false communication from PosteItaliane, concerning the notification of a new security system.

Clicca per ingrandire l'immagine della falsa e-mail di PosteItaliane che informa il ricevente che deve attivare il nuovo sistema di sicurezza, ma in realta' si tratta di una TRUFFA!
The message, which we reproduce on the side, informs customers of PosteItaliane owning Postepay cards, that they need to activate the new web security system to ensure greater security and reliability for transactions. Without the activation of the security system, they will not be able to use their card. The activation process takes only 3 minutes, through the following link:

Clicca qui (Click here)

The message seems to come from PosteItaliane but the email is rather generic and is directed to an unspecified Dear Customer. Besides the address <postepay[at]servizio-poste-italiane[dot]com> is clearly unrelated to the official PosteItaliane domain. The purpose, of course, is to lead the user to click on the proposed link and enter his data, which will be stolen.
 
Clicca per ingrandire l'immagine della falsa e-mail di PosteItaliane che simula la pagina di accesso all'area personale, ma in realta' si tratta di una TRUFFA!
The link in the message directs us to a web page that is supposed to simulate the official website of PosteItaliane. Although the page may be misleading due to the presence of the well-known PosteItaliane logo, the broswer's url address is anomalous and not traceable to PosteItaliane:

<<https[:]//verificacion-*****[.]com/IT-M0MS5/Italia...>>

To conclude, we always urge you to be wary of any email that asks you to enter confidential data, and avoid clicking on suspicious links, which could lead to a counterfeit site difficult to distinguish from the original one. In fact in this way your most valuable data are put in the hands of cyber crooks and can be used at will. .


August 28, 2024 ==> Phishing MediaWorld

Below we analyze some scam attempts that, posing as MediaWorld messages, spread massively through social networks.
This time, after Amazon's wave of extraordinary offers, we have a new ''tsunami'' of unmissable promotions. Below are 2 examples of different messages but with the same goal of simulating a must-have opportunity for the user.
''..get the powerful JBL Flip 6 speaker for only €2''
'''PS5 for only €2 in our store!'''
To obtain the prize(s) first we have to fill out a quick and easy survey, answering only 4 questions.
Certainly behind this phishing there is a real decoy for many inexperienced users
 Clearly MediaWorld is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance
Example no. 1
Example no. 2

At first we notice that the images are graphically misleading and, to add credibility to the message, there are also numerous comments from customers who appear to have already participated in the survey. These are all reassuring testimonials/feedback about the actual delivery of the winnings and the truthfulness of the message.
Surely if so many users were lucky why not try your luck by filling out a simple survey?!
When we then try to click on ''Scopri di più''/''Ordina subito'' (Find out more/Order now), this is what happens:

Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!We are redirected to a landing page that, although graphically well done, with misleading images, does not seem trustworthy at all.
In fact, the survey to obtain the prize is hosted on the following anomalous web page:

[NomeDominioFake*].info

*FakeDomainName is a domain that simulates a known brand domain or is a randomly named domain.

which has no connection with MediaWorld.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey by making him/her believe that only few people can win, and the gifts are about to run out. There is also a countdown timer at the bottom of the screen (1 minute 19 seconds), which however, if stopped - as we simulated - will start over immediately... rather strange thing. In addition, it seems that only 10 lucky people will be selected to obtain the prize.

At the end of the survey that involved answering 4 extremely general questions, a simple game is proposed to try our luck:
we have 3 attempts to find the prize inside some gift packages....

But how lucky we are! Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
After 2 attempts we made it: we managed to get the prize....
Too bad it's not over yet.

Clicca per ingrandire il form di autenticazione che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA! Here's the surprise: as highlighted in the image, winning is conditional on payment of shipping costs of 2€ Euros.
To invite the user to quickly finish, the cart remains reserved for a short time (08:52 minutes).
Since the purpose of cyber criminals is to induce the victim to enter his/her sensitive data, we expect a request to enter credit card information for shipping charges, although modest.
The page shown for the entry of our personal data is hosted on a different address/domain form the previous one but still suspicious:

[NomeDominioFake*].com


To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are placed in the hands of cyber crooks who can use them at will.



August 28, 2024  ==> Phishing AMAZON

Below we analyze some scam attempts that, posing as Amazon messages, spread massively through social networks.
This is an apparent ''storm'' of unmissable offers. Here is the promotional message:''Due to overstocking, Amazon is giving away laptops with slight scratches...'' To get the prize - specifically HP laptops or MacBook PRO - the lucky user only has to answer 4 questions....or at least that's what it seems.
Certainly behind this phishing there is a real decoy for many inexperienced users.
Clearly Amazon is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.



Example no. 1
Example no. 2
Example no. 3

At first we notice that the images are graphically misleading and, to add credibility to the message, there are also many comments from customers who appear to have already participated in the survey. These are all reassuring testimonials/feedback about the actual delivery of the winnings and the truthfulness of the message.
Surely if so many users were lucky why not try your luck by filling out a simple survey?!
When we then try to click on '' Request Now,'' this is what happens:

Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!We are redirected to a landing page that, although graphically well done (with misleading images and the authentic Amazon logo) does not seem trustworthy at all.
In fact, the survey to obtain the prize is hosted on the following anomalous web page.

[NomeDominioFake*].info

*DomainNameFake is a domain that simulates a known brand domain or is a randomly named domain.

which has no connection with Amazon.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey by making him/her believe that only few people can win, and the gifts are about to run out. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA! Now it seems only necessary to enjoy a simple little game to try our luck:
we have 3 attempts to find the laptop inside some gift packages..

But how lucky we are...
After 2 attempts we made it: we managed to get the prize..
Too bad it's not over yet.

Clicca per ingrandire il form di autenticazione che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!Here's the surprise: as highlighted in the image, winning is conditioned on paying shipping costs of Euro 1.95.

The purpose of cyber criminals is to induce the victim to enter his/her sensitive data. Therefore, we can expect that in order to pay shipping costs, although low in value, credit card information we will be required.

The page where we are redirected, to enter our own personal data, is always hosted on the abnormal address/domain, shown below:

[NomeDominioFake*].info

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are placed in the hands of cyber crooks who can use them at will.




August 22, 2024 ==> Phishing Banca Popolare di Sondrio

SUBJECT:  <SCRIGNObps - Notifica di Sospensione> (SCRIGNObps - Suspension Notification)
 
Clicca per ingrandire l'immagine della falsa e-mail della Banca Popolare di Sondrio che cerca di rubare i dati dell'account del destinatario...
The short message that seems to come from Banca Popolare di Sondrio, informs the recipient that his/her account has been temporarily suspended due to the failure to update some information.
"Fortunately", to restore access to the home banking account and all related services, he/she simply has to update the required information by clicking on the following link:

Aggiorna Informazioni 
  (Update Information)


Clearly,  Banca Popolare di Sondrio is unrelated to the mass sending of these e-mails, which are scams whose goal remains, as always, to steal the home banking login credentials and/or money of the unsuspecting recipient.

Although the cyber-criminal has inserted credible graphics and simulated the Bank's official address, there are some suspicious clues. In fact the text is generic and gives no elements as to the type of information to be updated and, in addition, home banking credentials are requested using a link sent via e-mail.

Anyone who unluckily clicks on the Aggiorna Informazioni  (Update Information), will be redirected to a malicious WEB page, which is unrelated to the Banca Popolare di Sondrio's official website, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact, it is run by cyber criminals whose goal is to get hold of your home banking login information in order to use it for criminal purposes and/or to transfer funds.

We always urge you to pay attention to even the smallest details and not to enter your personal information and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks.



 

August 16, 2024 ==> Phishing Aruba - Verifica password

SUBJECT: <Final Warning - Verifica password> (Final Warning - Password verification)

We find again this month phishing attempts pretending to be communications from the Aruba brand.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che induce l'utente ad effettuare il rinnovo della password, ma in realtà è una TRUFFA!
The message warns the recipient that the password for his/her account on Aruba will expire in 24 hours. To continue using the same password, the user must confirm it by clicking on the following link:

conferma password   (confirm password)


In case of non-confirmation, the provider will not be responsible for malfunctions

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

The cybercriminal leaves little time for action to the victim, in order to intimidate and push the user to act immediately witho attention, urged by fear of account and service blocking.

Anyone who unluckily clicks on the conferma password   (confirm password) link, will be redirected to an anomalous WEB page, which is unrelated to the official site of Aruba.

Clicca per ingrandire l'immagine del falso sito di Aruba dove viene richiesto di effettuare la conferma della password...in realtà si tratta di una TRUFFA!
On this page the user is prompted to log in to his/her client area entering username and password, so he/she can renew the password and avoid malfunctions or lockouts.

The page requesting the user’s  credentials, is hosted on an anomalous address/domain, which we report below:

 https[:]//srv218455[.] hoster-test[.]ru/sec/index....

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks.


August 14, 2024 ==> Phishing WalletConnect

SUBJECT: < Payment notification>
 
Below we analyze the following phishing attempt that comes as a fake communication from WalletConnect, a well-known cryptocurrency management services company.
Clicca per ingrandire l'immagine della falsa e-mail di WalletConnect che cerca di rubare i dati dell'account del destinatario...

The short message, in English, informs the recipient that he/she has been selected for an annual promotion involving the winning of a cash prize. Unfortunately, in order to obtain the giveaway, it is first necessary an account confirmation through the following link:

Verify wallect


Clearly, the well-known service company, WalletConnect is unrelated to the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data and money of the unsuspecting recipient.

The cyber-criminal had the foresight to simulate the official address of the WalletConnect service, so as to fool an unwary user. However, if we analyze deeper the message and especially the link, we can immediately realize that the destination site is not traceable to the official one.

Anyone who unluckily clicks on the Verify wallect link, will be redirected to a malicious WEB page, which is unrelated to the WalletConnectt's official website, but which has already been reported as a DECEPTIVE WEBSITE/PAGE.. In fact, it is run by cyber criminals whose goal is to get hold of cryptocurrency wallet data in order to use them for criminal purposes and/or transfer their funds.

August 12, 2024 ==> Phishing BBVA

SUBJECT: < Banca Online> (Online Bank)

Below we analyze the phishing attempt that comes as a false communication from  BBVA, a well-known Spanish multinational banking group.

Clicca per ingrandire l'immagine della falsa e-mail di BBVA che cerca di rubare i dati dell'account del destinatario...
The message informs the recipient that a new message is available and invites him/her to check his/her mailbox, through the following link, for more information.


Clicca qui e accedi al tuo account
  (Click here and log in to your account)


Clearly, if the recipient of the text message is not actually a customer of the BBVA, the anomaly of the message is more obvious. In any case, we remind you that under no circumstances banks require customers to provide personal data - especially home banking login credentials - via SMS  and e-mail.

If we analyze more closely the e-mail, we notice right away that the message comes from an address <mail03069(at)couponvantaggiosi(dot)it> clearly not from the official domain of BBVA. It is crucial to always pay close attention before clicking on suspicious links.

Anyone who unluckily clicks on the Clicca qui e accedi al tuo account  (Click here and log in to your account) link, will be redirected to a malicious WEB page, which is unrelated to the bank's official website, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.


August 10, 2024 ==> Phishing Nexi

SUBJECT: <Urgente: attivare il nuovo sistema di sicurezza> (Urgent: activate the new security system)

This new phishing attempt pretends to be a communication from Nexi.

Clicca per ingrandire l'immagine della falsa e-mail di NEXI che cerca di rubare i codici della carta di credito dell'ignaro ricevente.
The message alerts the recipient that if he/she does not activate the new security system by August 12, 2024, he/she will not be able to continue using his/her Nexi card. Without the new security system, which should provide greater security and reliability, no card transactions will be possible. Users can activate the new system through the following link:

Clicca qu (Click here)

We immediately notice that the email is very generic and there is no identifying information about the customer or the linked account. The alert email comes from an email address <service(dot)customers(at)nexi-it-contact(dot)info> clearly not from Nexi's official domain.

Anyone who unluckily clicks on the Clicca qu (Click here) link, will be redirected to a malicious WEB page, which is unrelated to the Nexi's official website, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.


August 08, 2024 ==> Smishing Istituto Bancario (Bank)

We analyze below a false communication from a well-known Bank, spread through sms (smishing), a form of phishing that uses cell phones instead of email.

Clicca per ingrandire l'immagine del falso sms giunto da un noto Istituto Bancario che cerca di indurre il ricevente a cliccare sui link per rubare le credenziali di accesso a suo conto corrente.The sms warns the recipient that a payment of Euro 4,990.00 has been detected and invites him/her to verify the payment. In case he/she does not recognize it, he/she must contact the specified phone number "02828****" .

Clearly, if the recipient of the text message is not actually a customer of the Bank, the anomaly of the message is more obvious. In any case, we remind you that under no circumstances Banks require customers to provide personal data - especially home banking login credentials - via SMS and e-mail.
The cyber criminals' goal is to lead the user, alarmed by the report of the payment request, to call the given number or, more generally, to click on suspicious links.

If in doubt, you should contact the official channels reported on the banking institution's website, and not trust the indications in the suspicious message, since there could be a scammer behind it.

we would also like to point out that  Banks are reporting these increasing scams to their customers, through official messages.
We also recall that communication between the Bank and the customer is never via text message, but it is your Bank/dedicated advisor who contacts you.
We reproduce an example of the message sent by the bank/advisor to warn his clients of these scam attempts, urging them to exercise caution:

“Good morning, attempts to steal login credentials to various banking apps have been escalating in recent days. They come up with the usual message (usually sms) that a strange payment has been requested and that if it is not due to call a number sometimes landline other times cell phone to block it. They are done quite well sometimes the Bank's name is not spelled perfectly or sometimes they switch from "tu" (informal way of addressing) to "lei" (formal way of addressing) or vice versa. It is useless and superfluous for me to tell you never to do what they ask. For any doubt rather write to your advisor or call the Bank's numbers or send the suspicious message to your advisor or the Bank's official channels, but never do anything! Only your advisor is expected to contact you. ”


To conclude, we always urge you to be wary of any form that requires you to enter confidential data, unless you are certain of the website's provenance. We also urge you not to click on suspicious links, which could lead to a counterfeit site that is difficult to distinguish from the original, where under no circumstances should you enter your bank account login details, credit card information or other sensitive data. Otherwise you put your most valuable data in the hands of cyber crooks who can use them at will.
 

August 08, 2024 ==> Phishing Account Posta Elettronica

SUBJECT:  <Azione richiesta: La password della tua casella di posta è scaduta 2024 - ****> (Action required: Your mailbox password has expired 2024- ****)

We analyze below a new phishing attempt that aims to steal email account login credentials.

Clicca per ingrandire l'immagine della falsa e-mail che cerca di indurre il ricevente a inserire le credenziali di accesso all'account di posta elettronica.
The message informs the recipient that his/her e-mail account password is expiring and that a new password will be generated by the system 3 hours after the message is opened. It then invites him/her to continue using the current password, through the following link:

Mantenere la password corrente   (Keep current password)

When we analyze the email, we see that the message comes from an email address <info[at]qiwipsa[dot]ooguy[dot]com> not traceable to the email server where the account is hosted. This is definitely anomalous and should, at the very least, make us suspicious.

However, if we go ahead and click on the provided link, we will be redirected to a malicious WEB page that has already been flagged as deceptive PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use it for illegal purposes.

Given these considerations, we point out that you should NEVER enter your credentials on sites whose origin you do not know, as they will be sent to a remote server and used by cyber crooks, with all the associated, easily imaginable, risks.


August 07, 2024==> Phishing EuroPages

SUBJECT:<Friedrich dalla Germania ti ha inviato un messaggio di richiesta relativo al tuo prodotto> (Friedrich from Germany has sent you an inquiry message for your product)

We find again this month the following phishing attempt, that comes from a false communication from EuroPages, and aims to steal the login credentials of the victim's account.
Clicca per ingrandire l'immagine della falsa e-mail di EuroPages, che cerca di rubare le credenziali di accesso all'account.

The message seems to come from EuroPages, the largest international B2B sourcing platform, and notifies the user the reception of a message from a certain "Leonardo Rossi", concerning his or her product listed on EuroPages. It then invites the user to log into his/her account to view the inquiry message, via the following link:


ACCEDI AL MIO ACCOUNT (SIGN IN TO MY ACCOUNT)

When we analyze the email, we find that the message comes from an email address <info(at)depramaterieplastiche(dot)it> not traceable to the official EuroPages domain. This is definitely anomalous and should at the very least make us suspicious.


Anyone who unluckily clicks on the ACCEDI AL MIO ACCOUNT (SIGN IN TO MY ACCOUNT) link, will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.



August 06, 2024==> Phishing ESSELUNGA

SUBJECT: <Notifica di ritardato pagamento. Impossibile consegnare il pacco. ! CcTsw> (Notifica di ritardo nel pagamento. Impossibile consegnare il pacco. ! CcTsw)

Below we analyze the following scam attempt hidden behind a false communication from the well-known retail company Esselunga.

Clicca per ingrandire l'immagine del falsa e-mail che sembra provenire da Esselunga, che informa della possibilità di vincere un premio...in realtà si tratta di una TRUFFA!
It is a promotional message that seems to propose an unmissable opportunity. The lucky user has been selected to participate in the ongoing monthly promotion through a survey, that will allow him to win a prize: a Set from Tupperware Modular Mates...or so it seems.
Certainly behind this phishing there is a real decoy for many inexperienced users.
Clearly Esselunga is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the email, we notice that the message comes from an email address <fabiano(dot)iacuzzi[at]mst-techsrl[dot]com> not traceable to the official domain of Esselunga. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link provided, here is what happens:
 
Clicca per ingrandire l'immagine del falso sito di ESSELUNGA che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
we are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of Esselunga) does not seem trustworthy at all.
In fact, the survey to obtain the prize is hosted on the following anomalous address/domain:

"https[:]/quickblended[.]sbs/ijyv/etna.....''

which has no connection with Esselunga.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey, by making him/her believe that only few people can win, and the offer expires in the day. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

When we click on INIZIA IL SONDAGGIO (START THE SURVEY), we are directed  to the next screens, where we are asked to answer 8 questions.
Here is specifically question 1/8. These are very general questions focused on the degree of satisfaction with the services offered by ESSELUNGA, and on the daily habits of consumers. Here, too, there is a countdown to prompt the user to quickly finish the process for the award.
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
At the end of the survey we can finally claim our prize: a  Tupperware Set Modular Mates that would be worth 79,99 Euros but costs us 0. We only have to pay shipping costs, which are supposed to be small.
But let's hurry. There seem to be only 4 left in stock..
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!

''Congratulazioni! Abbiamo riservato (1) 36 Piece Tupperware Modular Set esclusivamente per te.''
(Congratulations!!! We have reserved (1)  36 Piece Tupperware Modular Set exclusively for you.')


Here we go: in fact, all we need to do is to enter our shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered....

Clicca per ingrandire l'immagine del falso sito di ESSELUNGA dove vengono indicate le istruzini per ricevere il premio...
To give more credibility, many comments from customers who supposedly participated in the survey, have been reported. These are all confirming testimonials/feedback about the actual delivery of the winnings, ensuring that it is not really a scam.....
Surely if so many users were lucky why not try your luck?!
Clicca per ingrandire l'immagine del falso sito di ESSELUNGA dove viene richiesto di inserire i propri dati persoanli per ricevere il fantastico premio...ma che in realtà è una TRUFFA!
Then, when we click on Continua (Continue), we are sent to a further page to enter our shipping address and pay shipping costs. As we can see from the image on the side, the cybercriminals try to trick the unfortunate person into entering sensitive data to ship the prize. Most likely, credit card information will also be requested later for the payment of shipping costs.
The page where we are redirected, to enter our personal data, is hosted on a new abnormal address/domain, which we report below:

https[:]//recurring[.]sbs/c/D0UHqh.....


To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are placed in the hands of cyber crooks who can use them at will.


August 06, 2024 ==> Phishing Mooney

SUBJECT: < Avvertimento ! > (Warning !)
 
Below we analyze the following phishing attempt that comes as a false communication from Mooney the Italian Proximity Banking & Payments company.

Clicca per ingrandire l'immagine della falsa e-mail di Mooney, il sistema di pagamento online che cerca di rubare i dati sensibili del destinatario...
The message informs the recipient that his/her account is temporarily locked for security reasons.
It then invites him/her to update his profile, to confirm his/her data,  following the security steps specified through the following link:

ACCEDI E ORA (LOGIN AND NOW)

The Italian online payment company Mooney, is clearly uninvolved in the mass sending of these emails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Analyzing the the message, we notice right away that it comes from an e-mail address <rosalia(dot)deleon(at)bioteksa(dot)com> not traceable to Mooney's domain, although the cybercriminal had the foresight to include the company's well-known logo. Let's always be very careful before clicking on suspicious links.

Anyone who unluckily clicks on the ACCEDI E ORA (LOGIN AND NOW) link, will be redirected to the displayed page.
Clicca per ingrandire l'immagine del falso sito di Mooney dove viene richiesto di effettuare l'acceso al proprio accouint...in realtà si tratta di una TRUFFA!
As we can see, the landing page graphically simulates the official Mooney page, and this could mislead a user driven by haste to secure his account.
Although haste and fear of account suspension may prompt users to enter their login information, if we look at the broswer's url address, we can realize that the login form is not on Mooney's official domain:

http[:]//hry[.]hzh[.]mybluehost[.]me/zodan/bonifico/38f5c74da9aaed2fcc54/

Therefore, we urge you to remember that, in case of these attempts at computer fraud, you need to pay attention to every detail, even trivial ones.
If you enter the requested data, in this case your credit card details specifically, these will be delivered to the cyber criminals masterminding the scam who will use them for criminal purposes.



August 06, 2024 ==> Phishing Aruba - Fattura non pagata (Unpaid invoice)

SUBJECT: <fattura non pagata #ARUBA1628542> (Unpaid invoice #ARUBA1628542)

We find again this month phishing attempts pretending to be communications from the Aruba brand.

Clicca per ingrandire l'immagine della falsa e-mail di Aruba che induce l'utente ad effettuare il rinnovo del dominio, ma in realtà è una TRUFFA!
The message warns the recipient that his/her domain hosted on Aruba, linked to his/her e-mail account, will expire on 08/07/2024. Therefore, to renew all his services already in use, the user must complete the order and choose the most convenient payment method. If he/she does not complete the payment, all services linked to his account will be deactivated, including email accounts, so he/she will no longer be able to receive and send messages.
It then invites the user to log in to complete the payment, via the following link:

RINNOVA CON UN CLIC (RENEW WITH A CLICK)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Analyzing the text of the message, we notice right away that the sender's e-mail address <belbala1(at)gommautorecco(dot)it> is not from Aruba's official domain.
An expiration date of 07/08/2024 is given to induce the victim to  renew his or her mailbox in a timely manner. Since the email was delivered the day before, there is not much time to renew and prevent services from being deactivated. The technique of stating a deadline to conclude the procedure is intended to push the user to act immediately and without much thought, driven by the fear of his e-mail account deactivation.

Anyone who unluckily clicks on the RINNOVA CON UN CLIC (RENEW WITH A CLICK) link, will be redirected to the displayed page.

Clicca per ingrandire l'immagine del falso sito di Aruba dove viene richiesto di effettuare il pagamento del rinnovo del dominio...in realtà si tratta di una TRUFFA!
On this page the user is invited to access his/her client area by entering his login and password so that he/she can renew the domain and avoid the block of services.

Although the site may be misleading in that the familiar Aruba logo has been included, we see that the url address on the broswer bar is anomalous and not traceable to the official domain of Aruba:

https[:]//accountid7278info[.]org/netfrediar/login[.]php

If you enter the requested data, these will be delivered to the cyber criminals masterminding the scam who will use them for criminal purposes. Therefore, we urge you to remember that, in case of these attempts at computer fraud, you need to pay attention to every detail, even trivial ones.




August 06, 2024 ==> Smishing "Mamma ho perso il telefono" (Mum I lost my phone)

We analyse below the attempt at SMS SCAM that hides behind a request for help from a supposed family member.

Clicca per ingrandire l'immagine del falso sms giunto da un presunto familiare che cerca di indurre il ricevente a cliccare sui link per avviare una conversazione con lo scopo di sotrarre del denaro....
If you receive a text message from an alleged family member who sends you his/her new phone number - because his/her has been lost/stolen/ or is not working - via a link, be very careful and do not get scammed!

This type of fraud has already been reported several times on the web. The cybercriminal try to start a conversation with the victim, making him or her believe that his or her family member is in an emergency situation and needs financial help. The goal then is to steal sums of money.


What to do if you receive this SMS?

Below is the text of the SMS:
"Mum it's me I've lost my phone,this is a new number you can save it and write me on whatsapp? https://wa.me./344******"
The first thing to do, if you are suspicious, is to check that the phone number of your family member in your possession is working and try to contact him/her also through other channels such as social media.

In these situations, it is crucial to be very careful, avoid rush, always check the sender and block the sender  or ignore the message. In any case, you shouldn't click on suspicious links if you are not sure of their origin.

 

A little bit of attention and glance can save a lot of hassles and headaches...

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on phishing techniques for more details:

04/07/2024 17:22Phishing: the most common credential and/or data theft attempts in July 2024.
03/06/2024 17:22 Phishing: the most common credential and/or data theft attempts in  June 2024..
03/05/2024 11:56 - Phishing: the most common credential and/or data theft attempts in  May 2024..
03/04/2024 10:23 - Phishing: the most common credential and/or data theft attempts in April 2024...
04/03/2024 10:42 - 
Phishing: the most common credential and/or data theft attempts in  March 2024..
06/02/2024 08:55Phishing: the most common credential and/or data theft attempts in  February 2024...
02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in  January 2024....
11/12/2023 09:39 - 
Phishing: the most common credential and/or data theft attempts in  December 2023...
03/11/2023 08:58 - 
Phishing: the most common credential and/or data theft attempts in November 2023....
03/10/2023 16:35 -
Phishing: the most common credential and/or data theft attempts in October 2023....
05/09/2023 10:35 - 
Phishing: the most common credential and/or data theft attempts in September 2023....
01/08/2023 17:33 -
Phishing: the most common credential and/or data theft attempts in August 2023..
03/07/2023 10:23 - Phishing: the most common credential and/or data theft attempts in July 2023..

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite 
has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
  • it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
  • through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
  • Download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
 

VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

VirIT Mobile Security l'Antimalware di TG Soft per Android(TM)

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.

 

You can upgrade to the PRO version by purchasing it directly from our website=> click here to order



Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.



How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
  1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
.


TG Soft's C.R.A.M. (Anti-Malware Research Center)
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: