PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in July 2024:

29/07/2024 => Smishing Istituto Bancario (BANK)
25/07/2024 => Istituto Bancario (BANK)
17/07/2024 => Istituto Bancario (BANK)
16/07/2024 => Booking
09/07/2024 => Aruba - Fattura non pagata (Unpaid invoice)
08/07/2024 => Webmail
08/07/2024 => Aruba - Avviso Rinnovo (Renewal Notice)
04/07/2024 => Aruba - Aggiorna lo storage (Update the storage)
03/07/2024 => SPARKASSE

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

July 29, 2024 ==> Smishing Istituto Bancario (Bank)

We analyze below a false communication from a well-known Bank, spread through sms (smishing), a form of phishing that uses cell phones instead of email.

The message forwards to the recipient a request for payment  of Euro 450.00 with the specified card "539867****. If the user does not recognize the payment, he can block it through the link provided.

Clearly, if the victim is not a customer of the Bank or the specified card is not his, he will more easily understand the anomaly in the message. However, we must remember that banks never require customers to provide personal data - and especially home banking login credentials - through SMS and e-mail.
The aim of cyber criminals is to prompt the user, alarmed by the report of the payment request, to promptly click on the  t[.]ly/************** link.

This link, however, already at a glance does not correspond to the official website of the well-known banking institution, but surely redirects to a counterfeit page.

To conclude, we always urge you to be wary of any form that requires you to enter confidential data, unless you are certain of the website's provenance. We also urge you not to click on suspicious links, which could lead to a counterfeit site that is difficult to distinguish from the original, where under no circumstances should you enter your bank account login details, credit card information or other sensitive data. Otherwise you put your most valuable data in the hands of cyber crooks who can use them at will.

July 25, 2024 ==>Phishing Istituto Bancario (Bank)

SUBJECT: <Il tuo account è stato temporaneamente disabilitato> (Your account has been temporarily disabled)
 
The following is another phishing attempt that comes as a false communication from a well-known Bank.

In this case the layout of the message is intended to be more impactful, as the well-known logo of the Bank is used. The short communication informs the recipient that unusual activity has been detected in his account and he therefore needs to confirm his identity, through the following link:

Accedi (Log in)

If the user fails to confirm his identity, the account will be closed within 24 hours after the receipt of the message. Cyber fraudsters often use the technique of leaving little time to put pressure on users who, driven by the fear of account blocking, act immediately and without due attention.

Analyzing the e-mail, we notice right away that the message comes from an address <support(at)i-codesign(dot)it>  clearly not from the official domain of the well-known Bank. It is crucial to always pay close attention before clicking on suspicious links.

Anyone who unluckily clicks on the Accedi (Log in), will be redirected to a malicious WEB page, which is unrelated to the bank's official website, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.

July 17, 2024 ==> Phishing Istituto Bancario (Bank)

SUBJECT: <Il tuo account è stato temporaneamente disabilitato> (Your account has been temporarily disabled) 

Below we analyze the following phishing attempt that comes as a fake communication from a well-known national Bank.

The short message informs the recipient that unusual activity has been detected in his account and it is therefore necessary to confirm his identity through the following link.

Accedi (Log in)

If the user does not confirm his identity, the account will be closed within 24 hours after receiving the message.  Cyber fraudsters often use the technique of leaving little time  to put pressure on users who, driven by the fear of account blocking and, act immediately and without paying due attention.

Analyzing the e-mail more closely, we notice right away that the message comes from an address <support(at)autocomsrl(dot)it>  clearly not from the official domain of the well-known Bank. It is crucial to always pay close attention before clicking on suspicious links.

Anyone who unluckily clicks on the Accedi (Log in) link, will be redirected to a malicious WEB page, which is unrelated to the Bank's official website, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.

 

July 16, 2024 ==> Phishing Booking

SUBJECT: <Booking: Urgent - Contact Guest About Left Items>

We analyze below a new phishing attempt seemingly from Booking.com - the well-known online travel agency for booking stays, with millions of properties enrolled on their platform - which aims to steal the account login information of the victim.

The message, in English, seems to come from Booking.com and informs the recipient - referred to as generic "Hotel" - that one of its customers forgot personal belongings in his last stay and was unable to get in touch with the facility. It then invites the hotel to contact the guest to arrange for the return of personal belongings through the proposed platform, by clicking on the following link:

Contact Guest

Analyzing the email, we notice that the message comes from an email address <pch(at)greengrowthcompany(dot)com> not traceable to the official domain of Booking.com. In addition, the message is clearly addressed to a generic accommodation facility, whereas an identifier of the facility being complained about should be given. This is definitely anomalous and should, at the very least, raise our suspicions. Clearly, receivers who are not a Booking.com accommodation partner,  understand  more easily the scam.

Anyone who unluckily clicks on the Contact Guest link, will be redirected to an anomalous WEB page..

Anyone who unluckily clicks on the Contact Guest link, will be redirected to an anomalous WEB page.
We see from the side image that the web authentication page graphically simulates the official website of Booking.com.

However at a glance we notice that the login page is hosted on an anomalous address/domain...

https[:]//customerservice[.]quickwebaccesshub[.]shop/sign-in?op_token=UaQTYIysmK...

If you go on with the identification, likely your personal information and payment method will be asked and will be used by cyber crooks with all the associated, easily imaginable, risks.

July 9, 2024 ==> Phishing Aruba - Fattura non pagata (Unpaid invoice)

SUBJECT:  <Fattura non pagata #610777> (Unpaid invoice #610777) 

Phishing attempts, that pretend to be communications from the Aruba brand, continue.

The message notifies the recipient that his domain hosted on Aruba, linked to his e-mail account, will expire on 07/09/2024. It then warns him to manually renew his services to avoid the deletion of the account and thus the deactivation of all services associated with it, including the mailboxes (therefore the chance to receive and send messages).
It then invites the user to log in to renew his services, through the following link:

RINNOVA IL DOMINIO (RENEW YOUR DOMAIN)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal is always to steal sensitive data of the unsuspecting recipient.   

When we analyze the message, we notice right away that the sender's e-mail address <comunicazioni(at)staff(dot)it> is not from the official domain of Aruba.
An expiration date of 07/09/2024 is given to induce the victim to  renew his mailbox in a timely manner. Since the email was delivered on the same day, there is not much time to renew and prevent services from being deactivated. The technique of stating a deadline to conclude the procedure is intended to push the user to act immediately and without much thought, driven by the fear of his e-mail account deactivation.  

Anyone who unluckily clicks on the RINNOVA IL DOMINIO (RENEW YOUR DOMAIN) link, will be redirected to the displayed page.

As we can see, first of all the landing page, unlike what is expected, does not refer to the login form of Aruba's RESTRICTED AREA but hosts an online payment form that seems to rely on BancaSella's circuit. Here you are directly requested to enter your credit card information to complete the payment of the modest amount of Euro 5.99.....
Although the user may be pushed to quickly complete the transaction by haste and the fear of email box suspension, we can see from the url that the payment form is not on the official domain of Aruba or even BancaSella:

https[:]//aruba[.]servizio-id[.]it/DiMfVi-5jWOZ-gwVVi....

In these cases we therefore urge you not to rush and pay attention to every detail, even trivial ones.
By proceeding to enter the requested data, in this case your credit card details specifically, these will be delivered to the cyber criminals masterminding the scam, who will use them for criminal purposes.  

July 8, 2024 ==> Phishing Webmail

SUBJECT: <Notice For *****> 

We analyze below another phishing attempt that aims to steal the user's email account login credentials.

The message, in English, informs the recipient that his e-mail account password is expiring. It then invites him to change the password to continue using his account, via the link below:

Update Password

Analyzing the e-mail, we notice right away that the sender's e-mail address <stephan(at)thierry(dot)at> is not from the e-mail server and is rather anomalous.

Anyone who unluckily clicks on the Update Password link, will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes.

July 8, 2024 ==> Phishing Aruba - Avviso rinnovo (Renewal Notice)

SUBJECT:  <Avviso prossimo rinnovo> (Notice of upcoming renewal)

Phishing attempts, pretending to be communications from the Aruba brand, continue this month.

The message this time informs the recipient that an error occurred during the automatic renewal of his domain on Aruba. The failure to pay will result in the suspension of the account and thus the deactivation of all services associated with it, including mailboxes (therefore the user will no longer be able to receive and send messages).
It then invites the user to verify his bank information and renew his services by manually filling out the form, through the following link:

Aggiorna ora (Update now)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Analyzing the text of the message, we notice right away that the sender's e-mail address <it(at)noreplypec(dot)freshservice(dot)com> is not from Aruba's official domain.

Anyone who unluckily clicks on the Aggiorna ora (Update now) link, will be redirected to the displayed page.

On this page the user is invited to access his client area with his login and password to renew the domain and avoid the block of services.

Although the site may be misleading, in that the familiar Aruba logo has been included, we see that the url address on the broswer bar is anomalous and not traceable to the official domain:

https[:]//logportal[.]de/aruba/web/login[.]php

In fact, by entering data into counterfeit websites, these will be delivered to the cyber-criminals behind the scam who will use them for criminal purposes. We therefore urge you not to rush and pay attention to every detail, even trivial ones.

July 4, 2024 ==> Phishing Aruba - Spazio di archiviazione (Storage space)

SUBJECT:  <Aggiorna lo storage della tua casella di posta Aruba!> (Update your Aruba mailbox storage!)

We find again this month phishing attempts pretending to be communications from the Aruba brand.

The message warns the recipient that the storage capacity of his mailbox hosted on Aruba "is almost full or has low usage, further storage space upgrade is needed."It then informs him to update the mailbox capacity so as not to miss new incoming messages, pointing out that the update is free. He just needs to access his account, through the following link:

AGGIORNA ORA  (UPDATE NOW)

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

Analyzing the e-mail we notice right away that the alert message comes from an address <m(dot)zanardini(at)gpmbroker(dot)it> that clearly does not come from the official domain of Aruba. It is crucial to always pay close attention before clicking on suspicious links.


Anyone who unluckily clicks on the AGGIORNA ORA  (UPDATE NOW) link, will be redirected to an anomalous WEB page, which has already been flagged as a DECEPTIVE PAGE /SITE.

Although haste and fear of email suspension may push the user to quickly complete the operation, we always urge you to pay close attention to every detail, even trivial ones.
By proceeding to enter the data into counterfeit websites, they will be delivered to the cyber criminals masterminding and will be used for illegal purposes.

July 3, 2024 ==> SPARKASSE

SUBJECT: < La tua app richiede conferma entro 24 ore!> (Your app requires confirmation within 24 hours)
 
Below we analyze the following phishing attempt that comes as a false communication from SPARKASSE, a well-known bank in Bolzano.

The message in both German and Italian, warns the recipient that due to system updates, all customers are required to confirm their phone number, otherwise data loss and delays may occur. It also informs the user that, in order to continue using the service offered, he must register as soon as possible through the following link:

Online Banking

If you do not log in by July 10, your account will be deactivated, and you will have to pay fees to reactivate it. Cyber scammers use the technique of leaving little time for renewal to avoid deactivation of services, to pressure users who, driven by fear of account lockout, act immediately and without much thought.

Analyzing the e-mail more closely, we notice right away that the message comes from an address <53382686(at)itcelaya(dot)edu(dot)mx> clearly not from the official domain of SPARKASSE. Let us always be very careful before clicking on suspicious links.

Anyone who unluckily clicks on the Online Banking link, will be redirected to a malicious WEB page, which is unrelated to the official website of SPARKASSE, but which has already been reported as a DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals who want to get hold of your most valuable data, in order to use them for illegal purposes. 

A little bit of attention and glance can save a lot of hassles and headaches...

We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
 
We invite you to check the following information on phishing techniques for more details:

03/06/2024 17:22 -  Phishing: the most common credential and/or data theft attempts in  June 2024..
03/05/2024 11:56 - Phishing: the most common credential and/or data theft attempts in  May 2024..
03/04/2024 10:23 - Phishing: the most common credential and/or data theft attempts in April 2024...
04/03/2024 10:42 - Phishing: the most common credential and/or data theft attempts in  March 2024..
06/02/2024 08:55 - Phishing: the most common credential and/or data theft attempts in  February 2024...
02/01/2024 16:04 - Phishing: the most common credential and/or data theft attempts in  January 2024....
11/12/2023 09:39 - Phishing: the most common credential and/or data theft attempts in  December 2023...
03/11/2023 08:58 - Phishing: the most common credential and/or data theft attempts in November 2023....
03/10/2023 16:35 - Phishing: the most common credential and/or data theft attempts in October 2023....
05/09/2023 10:35 - Phishing: the most common credential and/or data theft attempts in September 2023....
01/08/2023 17:33 - Phishing: the most common credential and/or data theft attempts in August 2023..
03/07/2023 10:23 - Phishing: the most common credential and/or data theft attempts in July 2023..

Try Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.

Vir.IT eXplorer Lite  has the following special features:

• freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
• fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan;
• it identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
• through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
• Download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

 

VirIT Mobile Security AntiMalware ITALIAN for ALL Android^TM Devices

VirIT Mobile Security Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats, and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
 

TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) from which you can download the Lite version, which can be freely used in both private and corporate settings.

 

You can upgrade to the PRO version by purchasing it directly from our website=> click here to order

Acknowledgements

TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center, that allowed us to make this information as complete as possible.

How to submit suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware

You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:

1. any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
2. save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware..


TG Soft's C.R.A.M. (Anti-Malware Research Center)