PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in July 2025:

21/07/2025 =>Aruba - Unsent messages
14/07/2025 => PayPal
14/07/2025 => Aruba - Expired invoice
10/07/2025 => GoDaddy
10/07/2025 => Phishing Sondaggio - Mediaworld / UNIPOL
08/07/2025 => SexTortion
06/07/2025 => FedEx
05/07/2025 => Aruba - Expired domain
04/07/2025 => Phishing Sondaggio - LEROY MERLIN / IKEA
01/07/2025 => PagoPA
01/07/2025 => Aruba - Account verification

These emails aim to deceive unsuspecting victims into providing sensitive information, such as bank account details, credit card codes, or personal login credentials, with all the easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

21 July 2025 ==> Phishing Aruba - Unsent Messages

SUBJECT <Important notice: you have (2) unsent messages>

Phishing attempts pretending to be communications from the Aruba brand, continue. The message informs the receiver that as of today 21 July 2 new messages have arrived, which however have not been delivered to the mailbox hosted on Aruba. The reason for the undelivered messages seems to be a new management policy of incoming mail adopted by Aruba. It therefore invites the user to retrieve the suspended message through the following link:

CLICK HERE TO RETRIEVE THE MESSAGE

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is uninvolved in the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal the unsuspecting recipient's sensitive data.

When we carefully analyse the message, we find some clues that should make us suspicious. We first see that the text of the e-mail is generic and written in incorrect Italian. Furthermore, the e-mail address of the message <vr[at]albremb[dot].com> is not traceable to the official domain of Aruba, a very anomalous fact. Another red flag is that in order to confirm, you are asked to enter your account credentials via a link provided by e-mail

Anyone who unluckily clicks on the link
CLICK HERE TO RETRIEVE THE MESSAGE
will be redirected to a web page that, although it visually mimics the login page of an Aruba account - since the cybercriminal took care to include thelogo of the company - is not at all trustworthy.
In this case too, the address/domain is anomalous:

https[:]//digilake[.]sa[.]com/****

On this page, the user is invited to log in to his/her customer area with his/her e-mail login and password to retrieve messages before deletion.

We always urge you not to be in a hurry, to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as these will be delivered to cyber criminals who will use them for criminal purposes.

14 July 2025 ==> Phishing PayPal

SUBJECT <Important update on your account>

We analyse below a new phishing attempt aimed at stealing the login credentials of the account of PayPal, the well-known US digital payments company.

The message warns the recipient that for security reasons his/her account will be updated and temporarily suspended. It then informs him/her that he/she can update his/her information immediately to avoid account suspension, through the following link:

>Update as you know.

When we analyse the message, we see that its email address <ew-alerts[at]dtihost[dot].com> is not related to the official domain of PayPal. This is definitely abnormal and should make us suspicious.
Whoever unfortunately clicks on the >Update as you know.
. link will find himself/herself facing the screen shown in the image on the side. As we can see, he/she are redirected to a site that visually mimics the PayPal login page. However, this page is hosted on an unusual address/domain.

For these reasons, we advise you NOT to ever enter your credentials on sites whose origin you do not know, as they will be sent to a remote server, and used by cyber crooks with all the risks you can easily imagine.

14 July 2025 ==> Phishing Aruba - Expired invoice

SUBJECT: <[Aruba.it]: Invoice expired (3) last reminder!>

Phishing attempts, pretending to be communications from the Aruba brand, continue.

The message warns the recipient that the invoice concerning the renewal of his Aruba services is still awaiting settlement, after 3 reminders. The service has been temporarily suspended due to non-payment and will be automatically reactivated when the outstanding amount is paid. Then the message gives detail of the invoice <Order number: INV-2025-6296> and provides the link for the payment:

MAKE THE PAYMENT 

The well-known web hosting, e-mail and domain registration services company Aruba, is clearly uninvolved in the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal the unsuspecting recipient's sensitive data.

When we analyse the message we immediately notice that it comes from an address <noreply(at)bussolocean(dot)com> which does not refer to the official domain of Aruba. It is essential to always be very careful before clicking on suspicious links.

Whoever unfortunately clicks on the MAKE THE PAYMENT  link, will be redirected to the displayed webpage..
On this page, the user is invited to access his/her customer area with login data to pay the bill and reactivate the suspended services.

Although the site may be misleading due to the presence of the well-known Aruba logo, the URL address of the browser is anomalous and cannot be traced back to the company's official domain.

https[:]//fatturazione-customerarea[FakeDomainName*].com/1/aruba-login

If you enter your data into counterfeit websites, in fact, it will be delivered to the cyber-criminals behind the scam who will use it for criminal purposes. We therefore urge you not to rush and always pay attention to every detail, even trivial ones.

10 July 2025 ==> Phishing GoDaddy

SUBJECT: <Action Required: Please Update Your Payment Information>

We analyse below the phishing attempt pretending to be a communication from GoDaddy, a US company that provides hosting and Internet domain registration.

The message, in English, informs the recipient that the renewal of GoDaddy services could not be completed, due to the current payment method indicated. To avoid the suspension of the services, the user is requested to update the payment information promptly.
It then invites the user to update the payment method via the following link:

Update Payment

Clearly, the well-known web hosting, e-mail and domain registration service company, GoDaddy, is uninvolved in the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

When we analyse the message, we immediately see that the sender's e-mail address <dh_6j4wrz[at]vps65269[dot]dreamhostps[dot]com> is not from the official domain of GoDaddy.

Anyone who unluckily clicks on the Update Payment  link, will be directed to the displayed page.

As we can see, firstly, the landing page is well-designed and reasonably mimics the official GoDaddy website.

We can see that the landing page in this case is hosted on the url address: https[:]//[FakeDomainName*]godaddyes/assets/ which is unrelated to the official website of the company.

We therefore urge you not to rush and always pay attention to every detail, even trivial ones.
If you to enter the requested data, specifically credit card details, it will be delivered to the cyber-criminal creators of the scam who will use it for malicious purposes.

10 July 2025 ==> Phishing customer survey: Mediaworld - UNIPOL

Customer survey-themed phishing campaigns, exploiting well-known brands, continue. In the two cases described below, the companies are large-scale retailers and insurance companies.
The brands exploited in these campaigns are clearly unrelated to the mass sending of these malicious e-mails, which are outright scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
In the two examples above the emails clearly come from addresses <it0mediaworld4[at]cts-pisa[dot]it>and <it764tdfj[at]maninox[dot]it>unrelated to the official domain of Mediaworld or UNIPOL. This is definitely anomalous and should certainly make us suspicious.    

When we click on the links in the e-mail, we are directed to a landing page that may look graphically deceptive (with misleading images and the brand's authentic logo), but is hosted on an abnormal address/domain that is not  trustworthy or traceable to the exploited brand.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires today.
Surely if so many users were lucky why not try our luck?

When the survey is completed, the user is usually sent to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

08 July 2025 ==> SexTortion

The SexTortion-themed SCAM campaign is back. The e-mail seems to hint that the scammer had access to the victim's device. In fact, he appears to have used it to collect data and personal videos and then blackmailed the user by demanding payment of a sum of money, in the form of Bitcoin, not to divulge among his/her email and social contacts a private video of him/her looking at adult sites.

Below is an extract from the text of the email shown on the side:


The hacker claims to have gained access to the victim's device and, as proof of this, also provides a user password. In addition, the cybercriminal attempts to build empathy with the user by justifying his actions as a result of losing his job due to Covid. In order to prevent the video from being released, the victim is asked to send 1,290 USD in Bitcoin to the wallet listed below: "17wXXXXXXXXXXXXXxXXXXXXXXWX'. After receiving the payment, all data will be deleted. Otherwise, a video depicting the user will be sent to all colleagues, friends and relatives. The unfortunate victim has two days to pay!

As of 10/07/2025, there are no transactions on the reported wallet.

In such cases we always invite you:

1. not to respond to these kinds of emails and not to open attachments or click unsafe links, and certainly NOT to send any money. You can safely ignore or delete them
2. if the criminal reports an actual user’s password – usually it is a password obtained from public Leaks (compromised data theft) of official sites occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is recommended to change it and enable two-factor authentication on that service.

06 July 2025 ==> Phishing FedEx

SUBJECT: <FINAL REMINDER - CASE NUMBER 98230000214>

Below, we analyse a new attempt at data theft that comes in the form of a fake message from the well-known courier FedEx.

05 July 2025 ==> Phishing Aruba - Expired domain

SUBJECT: <Warning: your domain **** may be lost­­>

Phishing attempts pretending to be communications from the Aruba brand continue

The message informs the recipient that his/her domain hosted on Aruba has expired today. It then informs him/her that in order to avoid service interruptions, he/she can immediately renew the domain at a cost of € 5.99 via the following link:

Renew Now

Let's always be careful about requests to enter personal credentials via suspicious links sent by email. Clearly, the well-known web hosting, email and domain registration company Aruba is not involved in sending these mass emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately see that the email address of the message <emaa[at]chimana[dot]it> does not belong to the official official domain of Aruba. This is definitely unusual and should make us suspicious.
To induce the victim to act quickly, the cybercriminal gives him or her little time to respond. This technique is clearly intended to intimidate the user, who, fearing that he or she will be unable to access his or her account and use the services linked to it, is prompted to act without paying due attention. 

Anyone who unluckily clicks on the  link, will be redirected to an anomalous WEB page,  which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for criminal purposes.  

04 July 2025 ==> Phishing customer survey: LeroyMerlin / IKEA

Customer survey-themed phishing campaigns, exploiting well-known brands, continue. In the two cases described below, the companies are large-scale retailers.
The brands exploited in these campaigns are clearly unrelated to the mass sending of these malicious e-mails, which are outright scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
In the two examples above we see that the emails clearly come from addresses  <infoikea4[at]elitemusic[dot]it> and <it00merly1[at]ebanisteriascaringella[dot]it>unrelated to the official domain of  IKEA, or Leroy Merlin. This is definitely anomalous and should certainly make us suspicious.    

When we click on the links in the e-mail, we are directed to a landing page that may look graphically deceptive (with misleading images and the brand's authentic logo), but is hosted on an abnormal address/domain that is not  trustworthy or traceable to the exploited brand.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires today.
Surely if so many users were lucky why not try our luck?

When the survey is completed, the user is usually sent to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

01 July 2025 ==> Phishing PagoPA

SUBJECT <amount still due>

We analyse this month the following phishing attempt pretending to be a communication from PagoPA, the well-known payments system serving public administrations and utilities in Italy.   

The message warns the recipient of a late payment for a traffic violation, including reference number <R7230033407> and the reason for the violation: <speeding>.
It then shows the amount of the unpaid fine, i.e. € 198.00. The recipient is subsequently invited to pay within 72 hours in order to avoid surcharges,  otherwise the amount will be increased to € 396.00, in addition to the deduction of 6 points from the driving licence. Finally, it provides the link for the payment:

Check and Pay Now

Clearly, the well-known digital payment platform is uninvolved in the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal the sensitive data of the unsuspecting recipient.

If we analyse the message carefully, there are some suspicious clues. We immediately notice that its email address <support[at]psy4pro[dot]ru> cannot be traced back to the official  domain of PagoPA. This fact is definitely abnormal, and should make us suspicious.

Anyone who unluckily clicks on the Check and Pay Now link will be directed to a web page which, as we can see from the image on the side, is graphically well designed and simulates quite well the official site of PagoPA.

We can see, however, that the landing page has a url address: url: https[:]//[FakeDomainName*]/... unrelated to the official site of the company.

We always urge you to pay attention to even the smallest details and not to enter your personal and/or credit card information on forms hosted on counterfeit web pages, as it will be sent to a remote server and used by cyber crooks.

01 July 2025 ==> Phishing Aruba - Account verification

SUBJECT: <Verify your email address_(*******) 6/30/2025 7:11:07 p.m.>

Here we find another phishing attempt claiming to be a communication from the Aruba brand.

The message warns the recipient that he/she must verify his/her identity linked to the domain hosted on Aruba. It then informs him/her that in order to avoid service interruptions, he/she must confirm his/her identity within 72 hours via the following link:

Confirm now

We immediately see that  the email is generic, but it does include the name of the account that matches the recipient of the message. Furthermore, it comes from an email address not linked to the domain of Aruba but seems to come from the domain of the recipient <Noreply(at)******>. This is definitely unusual and should make us suspicious.

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Anyone who unluckily clicks on the Confirm now link, will be redirected to a web page which, although graphically well designed – the cybercriminal has had the foresight to include the Aruba logo – is not at all trustworthy. Again, the address/domain is unusual and is not related to the official website of Aruba.

On this page, the user is asked to log in to his/her customer area by entering his/her login and password, in order to confirm his/her identity and avoid malfunctions/blocks.

We always encourage you to pay attention to every detail, even the minor ones, to avoid rushing, and to refrain from entering your personal data and/or passwords on forms hosted on fake web pages. These details, in fact, will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.