PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in December 2024:
30/12/2024 =>
PayPal
29/12/2024 =>
DHL
19/12/2024 =>
Aruba - Verifica i dati di rinnovo del tuo dominio (Check the renewal details for your domain)
19/12/2024 =>
Docusign
18/12/2024 =>
Leroy Merlin
13/12/2024 =>
Coop
12/12/2024 =>
Webmail
10/12/2024 =>
Banca Sella
09/12/2024 =>
SCAM Polizia di Stato
07/12/2024 =>
Metamask
03/12/2024 =>
Leroy Merlin
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible, easily imaginable, consequences.
December 30, 2024 ==> Phishing PayPal
SUBJECT: <
Verifica del tuo indirizzo email per l'attivazione dell'account>
(Verification of your email address for account activation)
We analyze below a new phishing attempt aimed at stealing the account login credentials of PayPal, the well-known U.S. digital payments company.
The message asks the recipient to verify his/her e-mail address to fully activate his/her account. This step ensures that the contact information is up-to-date and allows the user to receive all important notifications. It then invites him/her to confirm his/her e-mail address through the following link:
Verifica e-mail (Email verification)
When we analyze the message, we see that it comes from an email address <niama(dot)damma(at)hotmail(dot)com> not traceable to the official domain of PayPal. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the
Verifica e-mail (Email verification) link, will be presented with the image shown at the side.
As we can see we are redirected to a site that graphically simulates the
PayPal login page. However, the page is hosted on an anomalous address/domain.
Based on these considerations, we point out that you should NEVER enter your credentials on sites whose origin you do not know, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
December 29, 2024==> Phishing DHL
«SUBJECT:
< Avviso: informazioni sulla consegna> (Notice: delivery information)
Below is a new phishing attempt, hiding behind a false communication from
DHL, concerning the delivery of a package.
The message notifies the unsuspecting recipient that his/her shipment is on hold due to the lack of some information needed for delivery. The request, seemingly from
DHL courier (mentioned in the text and at the bottom of the email but unrelated to this false communication), concerns a shipment from "
spartoo BUSINESS".
- Completa il tuo indirizzo (Complete your address)
- Pagare le spese di spedizione (Pay shipping costs)
through the following link:
Invia il mio pacco (Send my package)
The alert email comes from an email address <
sustem(at)sent-via(dot)netsuite(dot)com> unrelated to the domain of
DHL. This is definitely anomalous and should, at the very least, make us suspicious.
When we click on the link, we are redirected to a page that graphically simulates the page of DHL.
When we complete the recaptcha a page appears saying that the shipment is pending and showing order data such as order number, actual weight, and volumetric weight.
We are then directed to the page shown on the side, where we are prompted to enter our information to complete the shipment.
The purpose of the phishing is to prompt the user to enter his/her personal data. On the side we show in detail the screenshot of the registration form.
To conclude, we always urge you to be wary of any email that asks you to enter confidential data, and avoid clicking on suspicious links that could lead to a counterfeit site hardly distinguishable from the original one. In fact, if you enter your data it will be delivered to cyber crooks who can use it at will
December 19, 2024 ==> Phishing Aruba - Verifica i dati di rinnovo del tuo dominio (Check the renewal details for your domain)
SUBJECT: <
Verifica i dati di rinnovo del tuo dominio>
(Check the renewal details for your domain)
Phishing attempts, claiming to be communications from the
Aruba brand, continue.
The message informs the recipient that his/her domain hosted on
Aruba has already expired and the service has remained exceptionally active. To avoid service suspension and keep the domain active, the user must promptly pay Euro 5.99.
To do it, he/she has to click the following link:
Rinnova adesso (Renew now)
Clearly, the well-known web hosting, e-mail and domain registration services company,
Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
When we analyze the text of the message, we notice right away that the sender's e-mail address <
fav3[at]you2[dot]pl> is not from
Aruba's official domain.
To induce the victim to promptly renew his or her mailbox, the scammers make the user believe that
Aruba has exceptionally kept the domain active despite the fact that it has already expired. Therefore, there is not much time to renew and prevent the deactivation of services. This is intended to prompt the user to act immediately and without much thought due to the fear of the deactivation of his or her e-mail box..
Anyone who unluckily clicks on the
Rinnova adesso (Renew now) link, will be redirected to the displayed page.
As we can see, the landing page, unlike what expected, does not link to the RESERVED AREA login form of
Aruba but hosts an online payment form that appears to rely on the circuit of
BancaSella. Here you are directly prompted to enter your credit card information to complete the payment of the modest sum of Euro 5.99...
Although haste and fear of email box suspension may push the user to quickly complete the transaction, the url address of the page shows that the payment form is not on the official domain of
Aruba or even
BancaSella.
Therefore, we urge you not to be in a hurry and to know that in the event of these cyber fraud attempts, it is necessary to pay attention to every detail, even trivial ones.
If you enter the requested data, specifically credit card details, it will be delivered to the cyber criminals masterminding the scam, who will use it for criminal purposes.
December 19, 2024==> Phishing Docusign
SUBJECT: <
Review Document : Kindly sign : fllename Paymentinstruction-EFT - 19/12/2024 19:14:56 Contact - **** ->
We analyze below a new phishing attempt aimed at stealing the account login credentials of
Docusign, the American software company that provides electronic signature products.
The message, in English, informs the recipient that a new document is available to be digitally signed, by accessing his/her account. It then invites him/her to download the document for viewing and signing through the following link:
View in DocuSign
When we analyze the email, we see that the message comes from an email address <
businessservices(at)intuit(dot)com> that could be misleading but is not from the domain of
Docusign. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the
View in DocuSign, will be presented with the screen shown in the side image.
As we can see the user is redirected to a site unrelated to
Docusign but which graphically simulates the Microsoft account login page. This is definitely anomalous.
Based on these considerations, we point out that you should NEVER enter your credentials on sites you are not familiar with, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
December 13, 2024==> Phishing Coop
Below we analyze the following scam attempt concealed behind a false communication of unexpected winnings and spreading through social media.
This is a promotional message announcing the winning of a shopping voucher. According to the message, the user seems to have been randomly selected among the possible winners...or at least that's what it looks like.
Certainly for many inexperienced users this phishing is a real decoy.
Besides, the holiday season is just around the corner, and a shopping voucher would really be helpful given the countless lunches and dinners coming up...
Clearly, any supermarket chain (in this case, it seems to be
Coop) is unrelated to the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents is a little attention and a quick glance.
First of all, the landing page where we are redirected when we click on the
CLICCA QUI (CLICK HERE) link, although graphically well designed (with misleading images and the authentic logo of
Coop), does not seem trustworthy at all.
To win a
Coop store card worth 250 € we just need to participate in a simple game: guess the one with the shopping voucher among 4 envelopes.
We notice right away that we are on a page with a very anomalous address/domain and no connection to
Coop.
According to the instructions we have 3 attempts to find out the shopping voucher, therefore a high probability of finding the prize since there are only 4 envelopes.
Oops, the first attempt failed
How lucky we are!!! On our second attempt we made it: we managed to get the Coop voucher worth 250€.
But that's not the end of the story; new instructions are provided to complete the winning..
Here's the surprise: as highlighted in the image, winning is contingent on entering your personal information on an authentication form for ''registration.''
The form web page is hosted on an anomalous url address that, while different from the previous one, is still suspicious and not traceable to
Coop.
To conclude, we always urge you to be wary of any message requesting the entry of confidential data, even if prizes or coupons are up for grabs, and avoid clicking on suspicious links. These link in fact could lead to a counterfeit site difficult to distinguish from the original one, and thus you deliver your most valuable data to cyber crooks who can use it at will..
December 12, 2024==> Phishing Webmail
SUBJECT: <
xxxxxx.com mail status notification>
We analyze below the phishing attempt that aims to steal the victim's e-mail account credentials.
The message informs the recipient that, due to system update problems some messages have not been delivered to his/her mailbox. It then invites him/her to click on the following link:
Webmail[dot]<dominiomail>[dot].com /settings/manage/emails
When we analyze the email, we see that the message comes from an email address <
bounce[at]ns3157298[dot]ip-51-91-130[dot]eu> not traceable to the server hosting the mailbox. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link will be redirected to an anomalous WEB page, which simulates the mailbox login page.
This page prompts the user to enter his or her email address inserting his/her password to unblock messages. Howevere the page is hosted on an anomalous address/domain, which we report below:
https[:]//[NomeDominioFake*].com/.....
We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as it will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
December 10, 2024==> Phishing Banca Sella
«SUBJECT: <
Attiva il servizio MyKey per continuare a utilizzare la tua carta senza interruzioni >
(Activate MyKey service to continue using your card without interruption)
We find again this month the phishing campaign that, exploiting stolen graphics, or graphics similar to
Banca SELLA's, passes itself off as an official communication from the bank. The purpose is to induce the unsuspecting recipient to do as requested and fall into this trap based on social engineering techniques.
The message informs the recipient that in order to ensure maximum protection of his/her credit card, he /she will have to activate the MyKey security service. As of
12/12/2024, in fact, his/her card will be restricted and he will no longer be able to make payments until the service is activated.
The recipient is then asked to log in to his/her bank and activate the MyKey service through the following link:
ACCEDI (LOGIN)
When we analyze the email, we notice right away that the alert message comes from an email address <
sys6(at)progettoelisir(dot)it> not traceable to the domain of
Banca SELLA.
This is definitely anomalous and should make us suspicious even if the cybercriminal had the graphic foresight to include the well-known logo of the bank, which could mislead an inexperienced user.
The purpose of the email is to lead the recipient to click on the ACCEPT link which, we would like to point out, redirects to a page that is unrelated to the official website of
Banca SELLA but which has already been reported as a deceptive PAGE /SITE. In fact, it is run by cyber criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.
December 9, 2024==> SCAM Polizia di Stato (State Police scam)
«SUBJECT: <
Fwd: Convocazione / Giustizia>
(Convocation/Justice)
We examine below a SCAM attempt consisting of a false citation for child pornography via email from "
Mr.Lamberto Giannini, Chief of Police and Director General of Public Security".
The message, that comes through an extremely suspicious email <
paco[dot]jimenezgonzalez[at]alum[dot]uca[dot]es>, contains only a .pdf file called <
MANDATO-(1)> (WARRANT-(1)). The attachment, which we see below, is graphically misleading, and seems to be signed by
Mr. Lamberto Giannini himself. The message contains a judicial summons for child pornography, pedophilia, exhibitionism, and cyber pornography against the recipient for visiting child pornography sites.
This is an attempted scam by cyber criminals to extort a sum of money as a financial penalty. In fact, the message states the following:
" We ask that you make your case known via e-
email, writing your justifications so that they can be reviewed and verified to assess sanctions; this must be done within a strict deadline of 72 hours."
If the offender fails to respond within 72 hours, a warrant will be issued with immediate arrest by the postal or municipal police with subsequent entry in the national sex offender registry.
The judicial summons is definitely false as it is not addressed to a specific person and, in addition, the document contains a suspicious stamp.
Clearly this is a scam attempt with the purpose of stealing sensitive user data and extorting sums of money.
December 7, 2024==> Phishing MetaMask
«SUBJECT: <
Notifica Urgente: Aggiornamento dell'Account Metamask>
(Urgent Notification: Metamask Account Update)
We analyze below a new phishing attempt aimed at stealing the credentials of the victim's cryptocurrency wallet, run on
MetaMask, a San Francisco-based company.
MetaMask is a cryptocurrency software wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet via a browser extension or mobile app.
The message that we analyze below informs the receiver that unusual activity has been detected on his or her
MetaMask account. Therefore, to ensure security, he/she should verify the information as soon as possible by clicking on the following link:
Verifica il tuo account (Verify your account)
When we analyze the e-mail we see that the message comes from a highly suspicious e-mail address<
ar1[at]eventilaville[dot]com>, not traceable to the official domain of
MetaMask. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the
Verifica il tuo account (Verify your account) link, will be redirected to an anomalous WEB page, unrelated to the official website of
MetaMask.
However, it could be misleading since it includes the logo of
MetaMask, but is hosted on an anomalous address/domain.
To conclude, we always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, asily imaginable, risks.
December 3 - 18, 2024 ==> Phishing Leroy Merlin
Below we analyze the following scam attempts hidden behind a false communication from
Leroy Merlin, the well-known large distribution company.
We report 2 examples, graphically and textually different but with the same goal of proposing an unmissable opportunity.
In the first case the lucky user has been selected to win a prize through a survey: a 108-piece Dexter tool set… or so it seems.
In the second example the recipient is asked to click on the proposed link to consider the benefits of the Dexter Tool set.
Example no. 1
SUBJECT: <A ve te v in t o u n s et d i ut ens ili D e xt er d a 10 8 p ezzi>
(Y o u h a ve w o n a 10 8-p ie c e D e xt er to ol s e t)
Example no. 2
SUBJECT: <Buone notizie> (Good news)
Certainly behind these messages there is a real decoy for many inexperienced users
Leroy Merlin is clearly uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient. So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.
When we analyze the emails, we notice that the messages comes from email addresses <
tara[_]naughton[_]l79073[at]7liwasa[dot]onmicrosoft[dot]com> and <
infos[at]analpic[dot]com > not traceable to the official domain of
Leroy Merlin. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the links provided,
Partecipa al sondaggio ora (Join the survey now) and Scopri di più (Find out more) here is what happens:
we are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of Leroy Merlin)
does not seem trustworthy at all.
In fact, the survey to obtain the prize is hosted on the following anomalous address/domain:
[NomeDominioFake*]...
*FakeDomainName is a domain that simulates a known brand domain or is a randomly named domain
which has no connection with
Leroy Merlin.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey, by making him/her believe that only few people can win, and the offer expires in the day. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.
When we click on
INIZIA IL SONDAGGIO (START THE SURVEY), we are taken to the next screens, where we are asked to answer 8 questions.
Here is specifically question 1/8. These are very general questions focused on the degree of satisfaction with the services offered by
Leroy Merlin and on the daily habits of consumers. Here, too, there is a countdown to prompt the user to quickly finish the process for the prize.
When the survey is over we can finally claim our prize: a 108-piece Dexter tool set that would be worth 104,99 Euros but costs us 0. We only have to pay shipping costs, which are supposed to be small.
But let's hurry. There seem to be only 2 left in stock.
Here we go: in fact, all you need to do is to enter your shipping address and pay the shipping cost and, in 5-7 business days, the prize will be delivered.
To give more credibility, many comments have been reported from customers who supposedly participated in the survey. These are all confirming testimonials/feedback about the actual delivery of the winnings, ensuring that it is not a scam.....
Surely if so many users were lucky why not try your luck?
Then, when we click on
Continua (Continue), we are redirected to a further page to enter our shipping address and pay shipping costs.
As we can see from the image on the side, the cybercriminals try to trick the victim into entering sensitive data to ship the prize. Most likely, credit card information will also be requested later for the payment of shipping costs.
The page where we are redirected, to enter our personal data, is hosted on a new abnormal address/domain, which we report below:
[NomeDominioFake*]
To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are stolen by cyber crooks who can use them at will.
A little bit of attention and glance can save a lot of hassles and headaches...
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
We invite you to check the following information on phishing techniques for more details:
06/11/2024 14:33
- Phishing: the most common credential and/or data theft attempts in November 2024...
07/10/2024 14:33 - Phishing: the most common credential and/or data theft attempts in October 2024...
04/09/2024 09:28 - Phishing: the most common credential and/or data theft attempts in September 2024
06/08/2024 14:50 - Phishing: most popular credential and/or data theft attempts in August 2024...
04/07/2024 17:22 - Phishing: the most common credential and/or data theft attempts in July 2024.
03/06/2024 17:22 - Phishing: the most common credential and/or data theft attempts in June 2024..
03/05/2024 11:56 - Phishing: the most common credential and/or data theft attempts in May 2024..
03/04/2024 10:23 - Phishing: the most common credential and/or data theft attempts in April 2024...
04/03/2024 10:42 - Phishing: the most common credential and/or data theft attempts in March 2024..
06/02/2024 08:55 - Phishing: the most common credential and/or data theft attempts in February 2024...
02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in January 2024....
11/12/2023 09:39 - Phishing: the most common credential and/or data theft attempts in December 2023...
03/11/2023 08:58 - Phishing: the most common credential and/or data theft attempts in November 2023....
03/10/2023 16:35 - Phishing: the most common credential and/or data theft attempts in October 2023....
05/09/2023 10:35 - Phishing: the most common credential and/or data theft attempts in September 2023...
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
- it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
- Download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices
VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.
You can upgrade to the PRO version by purchasing it directly from our website=> click here to order
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.
How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
TG Soft's C.R.A.M. (Anti-Malware Research Center)