03/01/2025
14:40

Phishing: the most common credential and/or data theft attempts in JANUARY 2025


Find out the most common phishing attempts you might encounter and avoid.

PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in January 2025:

29/01/2025 => DocuSign
28/01/2025 => Account posta elettronica (Email Account)
28/01/2025 => Shein
27/01/2025 => Leroy Merlin
26/01/2025 => Telepass
21/01/2025 => Telepass
17/01/2025 => PayPal
14/01/2025 => GLS
11/01/2025 => Metamask
10/01/2025 => Esselunga
06/01/2025 => Account posta elettronica (Email Account)
01/01/2025 => Leroy Merlin

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible, easily imaginable, consequences.


 

29 January 2025 ==> Phishing Docusign

SUBJECT: <dahsboard update attached—please save or print now>

We analyze below a new phishing attempt aimed at stealing the account login credentials of Docusign, the American software company that provides electronic signature.

Clicca per ingrandire l'immagine della falsa e-mail che cerca di indurre il ricevente a inserire le credenziali di accesso all'account di Docusign.

The message, in English, informs the recipient that there is a pending update awaiting review and confirmation. It then invites him/her to log in by clicking on the following link:

Click View

When we analyze the email, we see that the message comes from an email address <info[at]fdtrust[dot]org> not traceable to the domain of Docusign. This is definitely anomalous and should, at the very least, make us suspicious.
Clicca per ingrandire l'immagine della videata che compare cliccando sul link di download del documento, che non rimanda al sito ufficiale di Docusign.

Anyone who unluckily clicks on the Click View link, will be confronted with the screen shown in the side image.
As we can see we are redirected to a site unrelated to Docusign but which graphically simulates the  account login page of Microsoft. This is definitely anomalous.
The goal of the scammers is to induce us to enter, specifically, the mailbox password.
Given these considerations, we urge you to NEVER enter your credentials on unknown sites, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.


28 January 2025 ==> Phishing Account Posta Elettronica (Phishing Email Account )

SUBJECT:<Dominio.it 5 Incomplete Messαges Delivery Stαtus>

We analyze below a new phishing attempt that aims to steal the login credentials of the email account.

Clicca per ingrandire l'immagine della falsa e-mail che cerca di indurre il ricevente a inserire le credenziali di accesso all'account di posta elettronica.
The message, of dubious origin, informs the recipient that some messages have not been delivered to his/her mailbox, due to a server problem.
It seems therefore necessary to click on one of the two links:
Receive all 5 emails
Delete all 5 emails


When we analyze the email, which is very sparse and without provenance information, we notice that the message comes from an anomalous email address <admin[t]conversion[-]crafters[dot]com>. This should already make us suspicious.
 

The purpose of the message is to prompt the recipient to click on the  Receive all 5 emails

Delete all 5 emails link,  which, we would like to point out, redirects to an abnormal page intended to steal the password of the e-mail account but which has already been reported as a deceptive WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data, in order to use it for illegal purposes.
Given these considerations, we urge you to NEVER enter your credentials on sites whose origin is unknown, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.



28 January 2025 ==> Phishing Shein

SUBJECT: <S co p ri la t ua Sca to la Mi s teri osa S hei n o gg i! > (D isco ver y our S hei n My ster y B o x to da y)

Below we analyze a scam attemp, hiddent behind a false communication from the well-known company SHEIN.

Clicca per ingrandire l'immagine del falsa e-mail che sembra provenire da Shein, che informa della possibilità di vincere una scatola misteriosa...in realtà si tratta di una TRUFFA!
It is a promotional message proposing an opportunity to win a prize. The lucky user has been selected to participate in a survey to win Shein's mystery box...or so it seems.
Certainly for many inexperienced users behind this phishing there is a real decoy.
The well-known Chinese online sales site SHEIN is clearly uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as usual, to steal sensitive data of the unsuspecting recipient.

So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the email, we see that the message comes from an email address <patricia[_]shaw[_]v26476[at]samartc[dot]pitrom[dot]store> not traceable to the official site of SHEIN. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link Completa il sondaggio adesso (Complete the survey now) link, here is what happens:
 
Clicca per ingrandire l'immagine del falso sito di SHEIN che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
we are redirected to a landing page that, although graphically well crafted (with misleading images and the authentic logo of SHEIN), does not seem trustworthy at all.
In fact, the survey is hosted on the following anomalous address/domain..

https[:]//[FakeDomainName*]....

which has no connection with SHEIN.
The cybercriminals running the scam, in order to induce the user to quickly end the survey and obtain his/her sensitive data, pretend that the offer is about to expire. At the bottom of the screen there is also a countdown timer, which however, if reset to zero as simulated, would restart immediately thereafter.. rather strange thing.

If we click on INIZIA IL SONDAGGIO (START THE SURVEY), we are taken to the next screens, where we are asked to answer 8 questions.

Here specifically is question 1/8. These are, in fact, all very general questions focusing on the degree of satisfaction with the SHEIN shopping site and the products sold. The countdown timer is also present here, to prompt the user to quickly complete the process for the award.
Clicca per ingrandire il sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
After the survey is completed  we can finally claim our prize: Shein's Mystery Box which would be worth Euro 399.99 but costs us 0..We only have to pay shipping costs, which are supposed to be small.
Better hurry up and finish the procedure.
Clicca per ingrandire l'immagine al termine del sondaggio che permetterebbe di reclamare la consegna del premio...ma che in realtà è una TRUFFA!

To give greater credibility, many comments from customers who appear to have already participated in the survey, have also been reported. These are all reassuring testimonials/feedback about the actual delivery of the winnings and therefore about the trustfulness of the message. Some of them are even documented with photos of the prize received.
If so many users were lucky why not try to claim the delivery?!
 
Just enter your shipping address and pay the shipping costs to receive the prize in 5-7 working days.....
Clicca per ingrandire l'immagine del falso sito di SHEIN dove vengono indicate le istruzini per ricevere il premio...

Then we will be sent to a further page, as shown in the image below, to enter our shipping address and pay the shipping charges

Clicca per ingrandire l'immagine del falso sito di SHEIN dove viene richiesto di inserire i propri dati per ricevere il premio...ma che in realtà è una TRUFFA!
The page, hosting the data-entry form, looks graphically well designed and misleading. In order to complete the process, we need to pay the shipping costs, which, although modest, likely involve entering credit card information in order to finish the purchase.
In fact, the purpose of cyber criminals is precisely to trick the user into entering his/her sensitive data and, in this case, his/her credit card data!
The page that asks for our personal information, is hosted on a new abnormal address/domain.

https[:]//[FakeDomainName*]....

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links which may lead to a counterfeit site. In fact, in this way your most valuable data is stolen by cyber crooks who can use it at will.

 21 - 26 January 2025 ==> Phishing TELEPASS    

Below we analyze the attempted scams hidden behind false communications by the well-known Italian company TELEPASS , that works in the urban and suburban mobility services industry.
These are 2 examples, graphically and textually different but with the same goal of making the recipient believe that he or she is facing an unmissable opportunity.The lucky user has been selected as winner of a fantastic prize: a new "car emergency kit", which can be claimed by participating in a  a short survey.

Example no. 1
SUBJECT: <Abbiamo una sorpresa per i clienti Telepass
(We have a surprise for Telepass customers)
Example no. 2
SUBJECT: <N o n as p e tt a r e! Ri sp o n di e r ic evi il K it d i E me rg e nz a ora!>
(Don’t wait! Reply and get the Emergency Kit now)

Certainly this phishing is a real decoy for many inexperienced users.
Clearly the well-known company TELEPASS is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the emails, we see that the messages come from email addresses <Telepass[-]nqe[at]stanbertoffers[dot]click> and <roxanne[_]pigman[_]r33621[at]samartc[dot]pitrom[dot]store>  clearly not traceable to the official domain of TELEPASS. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the links in the emails, here is what happens:

 
Clicca per ingrandire l'immagine del falso sito di TELEPASS che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
we are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of TELEPASS) does not seem trustworthy at all.
In fact, the survey to obtain the prize is hosted on the following anomalous address/domain:

https[:]//[NomeDominioFake*]....

which has no connection with TELEPASS.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey, by making him/her believe that only few people can win, and the offer expires in the day. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

When we click on INIZIA IL SONDAGGIO (START THE SURVEY), we are taken to the next screens, where we are asked to answer 8 questions.

Here is specifically question 1/8. These are very general questions focused on the degree of satisfaction with the services offered by TELEPASS and about the company's marketing/promotional choices. Here, too, there is a countdown to prompt the user to quickly finish the process for the award. 

Clicca per ingrandire il sondaggio di TELEPASS che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
When the survey is over, we can finally claim our prize: a Car emergency kit that would be worth 99,95 Euros but costs us 0 Euros. We only have to pay shipping costs, which are supposed to be small.
But let's hurry. There seem to be only 2 left in stock.
Clicca per ingrandire il sondaggio di TELEPASS che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!

Just enter your shipping address and pay the shipping costs to receive the prize in 5-7 working days.

Clicca per ingrandire l'immagine del falso sito di TELEPASS dove vengono indicate le istruzioni per ricevere il premio...
To give more credibility, many comments from customers who supposedly participated in the survey, have been reported. These are all confirming testimonials/feedback about the actual delivery of the winnings, ensuring that it is not really a scam.....
Surely if so many users were lucky why not try our luck?!
Clicca per ingrandire l'immagine del falso sito di TELEPASS dove viene richiesto di inserire i propri dati persoanli per ricevere il fantastico premio...ma che in realtà è una TRUFFA!
Then, when we click on Continua (Continue), we are sent to a further page to enter our shipping address and pay shipping costs.
As we can see from the image on the side, the cybercriminals try to trick the victim into entering his/her sensitive data, to ship the prize. Most likely, credit card information will also be requested later for the payment of shipping costs.
The page where we are redirected, to enter our personal data, is hosted on a new abnormal address/domain, which we report below:
https[:]//[FakeDomainName*][.]com

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.



17 January 2025==> Phishing PayPal

SUBJECT: <Ogg etto: Imp orta nte: Limit azi oni su l tu o acc oun t – Azi one ri chies ta> (Su bje ct: Imp orta nt: Restrictio ns on you r accoun t – Re quested ac tion)

We analyze below a new phishing attempt aimed at stealing the account login credentials of PayPal, the well-known U.S. digital payments company.

Clicca per ingrandire l'immagine della falsa e-mail che cerca di indurre il ricevente a inserire le credenziali di accesso all'account di PayPal.
The message informs the recipient that his/her PayPal account has been restricted due to unauthorized use. To avoid account deactivation, the user has 24 hours to confirm the data by clicking on the link:

Conferma le tue informazioni (Confirm your information)

When we analyze the email we see that the message comes from an email address <poi2[at]annacaiazzo[dot].it> clearly not from the official domain of PayPal. This is definitely anomalous and should, at the very least, make us suspicious.
Clicca per ingrandire l'immagine della falso sito di PayPal che cerca di indurre il ricevente a inserire le credenziali di accesso all'account di PayPal.
Anyone who unluckily clicks on the link.
Conferma le tue informazioni (Confirm your information) will be presented with the image shown in the side image.
As we can see, the user is redirected to a site that graphically simulates the PayPal login page. However, the page is hosted on an anomalous address/domain.

Given these considerations, we point out that you should NEVER enter your credentials on sites whose origin is unknown, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.



14 January 2025==> Phishing GLS

SUBJECT: <"Il Tuo Pacco È Pronto per la Consegna - Dettagli Richiesti"(Your Package Is Ready For Delivery - Details Required)

We analyze below a new data theft attempt that comes through a deceptive message, pretending to be from the well-known courier company GLS.
Clicca per ingrandire l'immagine del falso messaggio che informa il ricevente che c'è un pacco in attesa di consegna ma che si tratta di una TRUFFA!
The message, which we quote on the side, refers specifically to a package awaiting delivery. To unlock the delivery, it is necessary to confirm the shipping information and pay the shipping charges not paid by the seller. The recipient is then asked to click on the Continua (Continue) link.
The message, although seemingly from the courier GLS, is very poor and lacking in information to identify the delivery. Only a tracking code (AIPD-1512-KL10) is reported, which could be proven false by checking the tracking on official website of GLS.
Clearly GLS is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out, all it takes to avoid unpleasant incidents is a little attention and a quick glance.

Anyone who unluckily clicks on the Continua (Continue) link, will be directed to a web page simulating the official website of GLS. Although the site is graphically well designed, we see that the url address is anomalous and not traceable to any courier company.
Clicca per ingrandire l'immagine del falso sito del corriere dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!
The next page shows a precise reference tracking code (AIPD-1512-KL10). Then clicking on ''Continue'', a new screen follows  showing the pending shipping charges.
 
Clicca per ingrandire l'immagine del falso sito del corriere dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!

Moving on, we click on ''Pianifica la tua consegna ora'' (Schedule your delivery now) and a new screen is offered inviting us to choose how to arrange the new delivery, followed by an additional one where we specify when we prefer the delivery.
Clicca per ingrandire l'immagine del falso sito del corriere dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!
Here we are finally at the conclusion of the shipment rescheduling procedure, which should end with the data confirmation. However, in order for the delivery to take place, we need to pay the shipping costs
Clicca per ingrandire l'immagine del falso sito del corriere dove si dovrebbe monitorare una spedizione in sospeso ma che in realtà è una TRUFFA!

Clicca per ingrandire l'immagine del falso FORM dove si viene dirottati per sbloccare una spedizione in sospeso che chiede l'inserimento dei dati della carta di credito! Si tratta di una TRUFFA!
HERE'S THE SURPRISE! After clicking on 'Pagina successiva'' (Next Page) we are in fact redirected to a data-entry FORM that requires, in addition to ''Nome'',  (First Name), ''Cognome'' (Last Name), '''Indirizzo'' (Address), ''Numero di telefono''  (Phone Number) and ''E-Mail'', our credit card information to proceed with the payment of € 19.95 related to shipping costs.
We point out that the form page has a different address from the address above but still is totally unreliable and unrelated to any courier site.

The purpose of this phishing is to induce the user to enter his or her personal information. On the side we show in detail the screenshot of the completion form.

To conclude, we always urge you to be wary of any email asking for confidential data, and avoid clicking on suspicious links, which may lead to a counterfeit site difficult to distinguish from the original one. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.


14 January 2025==> Phishing MetaMask

«SUBJECT: <Security Notification>

We analyze below a new phishing attempt aimed at stealing the credentials of the victim's cryptocurrency wallet, run on  MetaMask, a San Francisco-based company.

MetaMask is a cryptocurrency software wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet via a browser extension or mobile app.

Clicca per ingrandire l'immagine della falsa e-mail di Metamask, che cerca di rubare le credenziali di accesso all'account.
The message prompts the recipient to activate 2-factor checking (2FA) through the following link, to increase the security of his/her wallet if he/she has not already done it.

Enable 2FA Now


When we analyze the message, we see that it comes from a very suspicious e-mail address<zbdt7a4j[at]info[dot]mailservice[dot]com> not traceable to the official domain of MetaMask. This is definitely anomalous and should, at the very least, make us suspicious.

Clicca per ingrandire l'immagine del falso sito contraffatto di MetaMask per l'inserimento delle credenziali di accesso all'account...ma in realtà è una TRUFFA!
Anyone who unluckily clicks on the Enable 2FA Now link, will be redirected to an anomalous WEB page, unrelated to the official site of MetaMask.
Such a page might mislead the user as it simulates MetaMask's graphics. However, it is hosted on an anomalous address/domain.

To conclude, we always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as it will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.




10 January 2025==> Phishing ESSELUNGA

SUBJECT: <Fai sentire la tua voce e ricevi un premio!> (Make your voice heard and receive a prize!)

Below we analyze the following scam attempt, hidden behind a false communication from the well-known large distribution company Esselunga.

Clicca per ingrandire l'immagine del falsa e-mail che sembra provenire da Esselunga, che informa della possibilità di vincere un premio...in realtà si tratta di una TRUFFA!
It is a promotional message  that seems to propose an unmissable opportunity. The lucky user has been selected to participate in the current promotion through a survey that will allow him/her to win a prize: 36-piece Tupperware Modular Mates set...or so it seems.
Certainly behind this phishing there is a real decoy for many inexperienced users.
Clearly Esselunga is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient. So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the email, we notice that the message comes from an email address <ticket[at]ticket[dot]com> not traceable to the official domain of Esselunga. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link provided, here is what happens:
 
Clicca per ingrandire l'immagine del falso sito di ESSELUNGA che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
we are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of Esselunga) does not seem trustworthy at all.
In fact, the survey to obtain the prize is hosted on the following anomalous address/domain:

"https[:]//[FakeDomainName*]...''

which has no connection with Esselunga.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey, by making him believe that only few people can win, and the offer expires in the day. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

When we click on INIZIA IL SONDAGGIO (START THE SURVEY), we are taken to the next screens, where we are asked to answer 8 questions.

Here specifically is question 1/10. These are, in fact, all very general questions focusing on the degree of satisfaction with the services offered by Esselunga and the daily habits of consumers. We see that the countdown timer is also present here to prompt the user to quickly finish the process for the award.
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!
When the survey is over, we can finally claim our prize: 36 Piece Tupperware Modular Set which is worth Euro 399,99 but costs us zero. We only have to pay shipping costs, which are supposed to be small.
But let's hurry.. There seems to be only  2 left in stock.
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!

''Congratulazioni! Abbiamo riservato (1) Set Tupperware da 36 pezzi esclusivamente per te.''
(Congratulations! We have reserved (1) 36-piece Tupperware Modular Mates set  exclusively for you)

Here we go: in fact, all we need to do is enter our shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered....

Clicca per ingrandire l'immagine del falso sito di ESSELUNGA dove vengono indicate le istruzini per ricevere il premio...
To make the scam more trustworthy, several comments have been reported from customers who seem to have already participated in the survey. These are all reassuring testimonials/feedback about the actual delivery of the winnings and thus on the reliability of the message.
Surely if so many users were lucky why not try our luck?!
Clicca per ingrandire l'immagine del falso sito di ESSELUNGA dove viene richiesto di inserire i propri dati persoanli per ricevere il fantastico premio...ma che in realtà è una TRUFFA!
Then, if we click on Continua (Continue), we will be directed to another page to enter our shipping address and pay shipping costs.
As we can see from the side image, the purpose of the cyber criminals is to induce the victim to enter his/her sensitive data needed to ship the prize. Then credit card information will very probably be requested to pay the shipping costs .
The page we are redirected to, in order to enter our personal information, is hosted on a new abnormal address/domain:

"https[:]//[FakeDomainName*]...''

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.


6 January 2025==> Phishing Account Posta Elettronica (Phishing Email Account )

SUBJECT: <Final Notice: 01/06/2025 06:21:24 AM!>

We analyze below a new phishing attempt that aims to steal email account login credentials.

Clicca per ingrandire l'immagine della falsa e-mail che cerca di indurre il ricevente a inserire le credenziali di accesso all'account di posta elettronica.
The message, of dubious origin, invites the recipient to read the attached message, a zipped .pdf document, named RecipientName-Service_installation_Quote.

When we analyze the mail, very poor and lacking information to identify its origin, we see that the message comes from an abnormal email address <documents(at)docusign(dot)com>. This is very suspicious

Clicca per ingrandire l'immagine della videata che compare cliccando sul link di conferma password, che non ha nulla a che fare con l'account di posta.
In any case, anyone who unluckily tries to open the attached file, will be presented with the screen shown in the side image.
As we can see, we are redirected to a site that graphically simulates the Yahoo mail login page, where we are prompted to enter our login information (E-mail and password) in order to view the document. The page is hosted on an anomalous address/domain.
Based on these considerations, we point out that you should NEVER enter your credentials on sites whose origin you do not know, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.
 

 1 - 27 January 2025 ==> Phishing Leroy Merlin

Below we analyze the following scam attempts hidden behind a false communication from Leroy Merlin, the well-known large distribution company.

These are 2 examples, graphically and textually different, but with the same goal of making the user believe that he or she is facing an unmissable opportunity.The e-mail seems to offer the lucky user a chance to win a set of 108 Dexter tools, just by participating in a short survey.  

Example no. 1
SUBJECT: <S i p r e g a d i c on fe rm a r e l a ri c ezi on e>
(P l e a s e c o n f ir m r e c e i p t)
Example no. 2
SUBJECT:  <V i n c i u n s e t di ut e n s i li D ex t er: p ar t eci pa og gi ste ss o al no str o s on da gg io L er o y M erli n!>
(Wi n a  s e t of D ext er t o ol s: j oi n o u r Le ro y Me rli n su rve y to da y!)

Clearly, the well-known company is unrelated to the mass sending of these e-mails, which are real scams whose goal is, as always, to steal sensitive data of the unsuspecting recipient and use them for criminal purposes.
Although the cyber crook had the graphic foresight to include the logo of the well-known chain, there are clues that should make one suspicious. In fact, the source addresses of the e-mails <deborah[_]green[_]m91683[at]stpatrick[dot]lourencoeamancio[dot]pt> and <daryl[_]banahan[_]p19112[at]samartc[dot]pitrom[dot]store> are in no way traceable to Leroy Merlin's official domain.
However, if we click on either link:
Partecipa al sondaggio ora!
Partecipa al sondaggio adesso!
(Join the survey now!)
(Join the survey now!)

 
Clicca per ingrandire l'immagine del falso sito di Leroy Merlin che invita a partecipare ad un sondaggio per vincere un premio...ma che in realtà è una TRUFFA!
we are redirected to a landing page that, although graphically well designed, does not seem trustworthy at all, as it is hosted on an anomalous address/domain, unrelated to Leroy Merlin

[FakeDomainName*]...

*FakeDomainName is a domain that simulates a known brand domain or is a randomly named domain.

The cyber criminals masterminding the scam, try to induce the user to quickly finish the survey pretending that there is little time left to participate and win the prize. In fact, at the bottom of the screen there is a countdown timer, which, however, if it resets to zero, it would start over again immediately afterward... rather strange thing.

When we click on INIZIA IL SONDAGGIO (START THE SURVEY), we are taken to the next screens, where we are asked to answer 8 questions. These are very general questions focused on the degree of satisfaction with the services offered by  Leroy Merlin and on the daily habits of consumers. Here, too, there is a countdown to prompt the user to quickly finish the process for the prize without much thought.

Below is an example question in the survey:
Clicca per ingrandire il sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!

Once the survey is over, we can finally claim the prize: the 108-piece Dexter tool set, valued at 104.99 euros, which, however, since we completed the survey, we will receive by paying only shipping costs, a much lower cost than the set.
Clicca per ingrandire sondaggio che permetterebbe di vincere un premio...ma che in realtà è una TRUFFA!

To make it more credible, the cyber-scammer included some fake comments from users who supposedly participated in the survey and actually received the promised prize. Obviously, the purpose is to reassure the victims that the message is not a scam and thus induce them to continue. 

Clicca per ingrandire l'immagine del falso sito di Leroy Merlin dove vengono indicate le istruzini per ricevere il premio... Clicking on RECLAMARE LA RICOMPENSA (CLAIM THE REWARD), a window will open notifying us that we've won the prize and how to receive it: enter the shipping address, pay the shipping cost, and in 5-7 business days the 108-piece Dexter tool set will be delivered.

Clicca per ingrandire l'immagine del falso sito di Leroy Merlin dove viene richiesto di inserire i propri dati persoanli per ricevere il fantastico premio...ma che in realtà è una TRUFFA!
Then we click CONTINUA (CONTINUE), and we are redirected to another page, hosted on a fake address/domain, where we are asked to enter our personal information, such as name and shipping address. Continuing further, we will likely also be prompted to enter our credit card information to pay shipping charges.

We always urge you not to rush and pay attention to even the smallest details. Besides we invite you to be wary of offers/promotions that are "too good to be true," and above all not to enter your personal information and/or passwords on forms hosted on counterfeit web pages, as they will be used by cyber crooks for criminal purposes.


A little bit of attention and glance can save a lot of hassles and headaches...

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on phishing techniques for more details:


03/12/2024 14:47 -  Phishing: the most common credential and/or data theft attempts in  December 2024...
06/11/2024 14:33 Phishing: the most common credential and/or data theft attempts in November 2024...
07/10/2024 14:33 - Phishing: the most common credential and/or data theft attempts in October 2024...
04/09/2024 09:28 - Phishing: the most common credential and/or data theft attempts in September 2024
06/08/2024 14:50 - Phishing: most popular credential and/or data theft attempts in August 2024...
04/07/2024 17:22Phishing: the most common credential and/or data theft attempts in July 2024.
03/06/2024 17:22 Phishing: the most common credential and/or data theft attempts in  June 2024..
03/05/2024 11:56 - Phishing: the most common credential and/or data theft attempts in  May 2024..
03/04/2024 10:23 - Phishing: the most common credential and/or data theft attempts in April 2024...
04/03/2024 10:42 - 
Phishing: the most common credential and/or data theft attempts in  March 2024..
06/02/2024 08:55Phishing: the most common credential and/or data theft attempts in  February 2024...
02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in  January 2024....


Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite  has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
  • it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
  • through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
  • Download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
 

VirIT Mobile Security AntiMalware ITALIAN for ALL AndroidTM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

VirIT Mobile Security l'Antimalware di TG Soft per Android(TM)

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.

 

You can upgrade to the PRO version by purchasing it directly from our website=> click here to order


Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.


How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
  1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.


TG Soft's C.R.A.M. (Anti-Malware Research Center)
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: