PHISHING INDEX

 

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in February 2025:

26/02/2025 => Account Posta elettronica (Email Account)
24-25/02/2025 => Phishing sondaggio clienti (Customer survey)
24/02/2025 => Aruba - Rinnova il dominio (Renew the domain)
22/02/2025 => iCloud
22/02/2025 => Allianz
20/02/2025 => Leroy Merlin
17/02/2025 => LIDL
14/02/2025 => Account di Posta elettronica (Email Account)
12/02/2025 => SCAM Polizia Postale (Postal Police)
09/02/2025 => SexTortion
06/02/2025 => Aruba
04/02/2025 => BRT
02/02/2025 => Aruba
02/02/2025 => Telepass

These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible, easily imaginable, consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

February 26, 2025 ==> Phishing Account posta elettronica (Phishing E-mail account)

SUBJECT:<Urgent: Your Account Has Been Locked>

We analyze below the phishing attempt that aims to steal the victim's e-mail account credentials.

The message, in English, warns the recipient that his/her e-mail account is locked for login attempts exceeding the allowed limit. It then informs him/her that in order to restore access, he/she must click on the following link:

UNLOCK MAILBOX NOW

When we analyze the message, we see that it comes from an email address <noreply[at]*****[dot]it> unrelated to the server hosting the mailbox. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link will be redirected to an anomalous WEB page, which simulates the mailbox login page.

On this page the user is prompted to log in entering his/her data and especially his/her mailbox password to unlock his/her account.

The page where the user is redirected to enter his/her e-mail account credentials is hosted on an abnormal address/domain:

 https[:]//[NomeDominioFake*].com/.....

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.

February 24-25, 2025 ==> Phishing sondaggio clienti (Phishing  customer survey)

Phishing-themed customer survey campaigns, that exploit the brand of well-known companies, continue. In the two cases below, they involve insurance or large retail companies.


Clearly, the brands exploited in these campaigns are unrelated to the mass sending of these malicious e-mails, which are outright scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
When we examine the messages we see that the email address is not traceable to either the official domain of CONAD<supportt[at]fads[dot]softuff[dot]org>, or GENERALI ASSICURAZIONI (GENERALI INSURANCE)<support[at]haj[dot]cmxperts[dot]com>. This is definitely anomalous and should certainly raise our suspicions.

The link in the emails, redirects the user to a landing page that is graphically deceptive (with misleading images and the brand's authentic logo), but with an anomalous address/domain, that cannot be trusted nor traced back to the exploited brand.

The cyber-criminals masterminding the scam, through various ploys - such as reporting false testimonials from customers who have won the concerned prize - try to induce the user to quickly complete the survey by making him/her believe that there are only a few lucky people and that the offer expires in the day.
Surely if so many users were lucky why not try your luck?

When the survey is over, the user is redirected to a page to enter the shipping address and  pay the charges.
The cybercriminals' purpose is to induce the victim to enter his/her personal information to ship the prize and then likely also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are stolen by cyber crooks who can use them at will.

February 24, 2025 ==> Phishing Aruba - Rinnova il dominio! (Renew the domain!)

SUBJECT: <Cancellazione del nostro nome di dominio (*****).> (Cancellation of our domain name*****)

Phishing attempts pretending to be communications from the Aruba brand continue this month.

The message informs the recipient that his/her domain hosted on Aruba is expiring on 26/02/2025. In order to renew, the user is asked to click on one of the links offered.

RINNOVA CON UN CLIC (RENEW WITH A CLICK)

ATTIVA RINNOVO AUTOMATICO (ACTIVATE AUTOMATIC RENEWAL)

and follow the instructions.

Clearly, the well-known web hosting, e-mail and domain registration services company Aruba is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.

When we analyze the text of the message, we see right away that the sender's e-mail address <staff-online[]dot]cenrefi_f0z15lg9r0q[at]staff-online[dot]cenrefin[dot]cz> is not from the official domain of Aruba.

Anyone who unluckily clicks on either link will be redirected to the displayed web page.

On this page the user is invited to access his/her client area entering login and password to renew  the domain and thus avoid the block of related services.

Although the site may be misleading in that the familiar Aruba logo has been included, we see that the url address  is anomalous and not traceable to the company's official domain:

https[:]//[NomeDominioFake*].com.br...

If you proceed to enter your data into counterfeit websites, it will be delivered to the cyber criminals who created the scam, who will use it for criminal purposes. We therefore urge you not to be in a hurry and to remember that, in case of these cyber fraud attempts, it is crucial to pay attention to every detail, even trivial ones.

February 22, 2025 ==> Phishing iCloud

SUBJECT: <"Prorogato di un giorno! Ottieni 50 GB di premio extra…"> (Extended by one day! Get 50 GB of extra premium)

We analyze below the phishing attempt that aims to steal the credentials of the victim's iCloud account.

The message warns the recipient that his/her archiving space is full, so photos and videos are no longer being updated. It then informs him or her that, as part of the loyalty program, the user may be entitled to 50GB of extra space. To find out if the user is one of the lucky customers, he/she just needs to click on the following link:

Controlla se sei idoneo!(Check if you are eligible!)

When we analyze the email we see that the message comes from an email address <stechnqiue[at]fop[dot]123movies4net[dot]co>  clearly not traceable to the iCloud server. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link will be redirected to an anomalous WEB page, which simulates the mailbox login page.

On this page, the user is invited to log into his/her account to update the storage space and find out if he/she can receive the 50 GB, at only €2.00 per year (whereas before it seemed free). Usually promotions that require payment of a modest amount are aimed at getting hold of the victim's credit card information.


The page where the user is redirected to enter his/her credentials is hosted on an abnormal address/domain:
 https[:]//[NomeDominioFake*].com/.....

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.

February 22, 2025==> Phishing Allianz

SUBJECT: <R ⁤ ic ⁤hie ⁤di il⁤   tu ⁤o kit ⁤di⁤   e⁤ m⁤ erg ⁤enza   per   a ⁤uto ⁤  gratis!> (R eque st you r fre e ca r emergenc y kit!)

We analyze below the phishing attempt hidden behind a false communication from the well-known insurance services company Allianz.

The lucky user has been selected to participate in a free loyalty program, which will allow him or her to win a prize through a consumer preference survey: a new Emergency Car Kit ...or so it seems.
Certainly behind this phishing there is a real decoy for many inexperienced users
Clearly Allianz is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient. So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the email, we see that the message comes from an email address <veronica_evenson_t2058[at]anna[dot]co[dot]za>  not  traceable to the server hosting the mailbox . This is definitely anomalous and should, at the very least, make us suspicious. !

Anyone who unluckily clicks on the link, Partecipa al sondaggio ora! (Take the Survey Now!), will be redirected to an anomalous WEB page, which is unrelated to the insurance company.

That page is hosted on an anomalous address/domain:

 https[:]//[NomeDominioFake*].com/.....

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.

February 20, 2025 ==> Phishing Leroy Merlin

SUBJECT: <"Aiutaci a migliorare Leroy Merlin e vinci un set di attrezzi Dexter!">(Help us improve Leroy Merlin and win a set of Dexter tools)

Below we analyze the following scam attempts hidden behind a false communication from Leroy Merlin, the well-known large distribution company.

Certainly behind this phishing there is a real decoy for many inexperienced users
Clearly Leroy Merlin is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient. So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

 

When we analyze the email, we see that the message comes from an email address <support4916dc[at]delorenzis[dot]it> not traceable to the official domain of Leroy Merlin. This is definitely anomalous and should, at the very least, make us suspicious. However, if we go ahead and click on the link provided, here is what happens:
we are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of Leroy Merlin) does not seem trustworthy at all.
In fact, the survey to obtain the prize is hosted on the following anomalous address/domain:

[NomeDominioFake*]...

*FakeDomainName is a domain that simulates a known brand domain or is a randomly named domain.

which has no connection with Leroy Merlin.
Cyber criminals masterminding the scam, try to induce the user to quickly finish the survey, by making him believe that only few people can win, and the offer expires in the day. There is also a countdown timer at the bottom of the screen, which however, if stopped - as we simulated - will start over immediately. This is a rather strange thing.

When we click on RISpondi AL SONDAGGIO (ANSWER TO THE SURVEY), we are sent to the next screens, where we are asked to answer 8 questions.


Here we go: in fact, all you need to do is to enter your shipping address and pay the shipping cost, and in 5-7 business days the prize will be delivered

To give more credibility, many comments from customers who supposedly participated in the survey, have been reported. These are all confirming testimonials/feedback about the actual delivery of the winnings, ensuring that it is not really a scam.....
Surely if so many users were lucky why not try your luck?!
Then, when we click on Continua (Continue), we are redirected to a further page to enter our shipping address and pay shipping costs.
As we can see from the image on the side, the cybercriminals try to trick the victim into entering sensitive data to ship the prize. Most likely, credit card information will also be requested later for the payment of shipping costs.
The page where we are redirected, to enter our personal data, is hosted on a new abnormal address/domain, which we report below:

[NomeDominioFake*]

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are delivered to cyber crooks who can use it at will.

February 17, 2025 ==> Phishing LIDL

SUBJECT: < Get Ready for a Shopping Spree – Win a Lidl Gift Card!>

Below we analyze the scam attempt behind a false communication, exploiting the well-known company LIDL.

It is  a promotional message, in English, that seems to propose an unmissable opportunity. The lucky user has been selected for a special gift and, by signing up right away, can win a LIDL gift card worth $100...or at least that's what it seems.
Certainly behind this phishing there is a real decoy for many inexperienced users
Clearly LIDL is uninvolved in the mass mailing of these malicious campaigns, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
So keep an eye out. All it takes to avoid unpleasant incidents, is a little attention and a quick glance.

When we analyze the email, we notice that the message comes from an email address <YOU[at]onecode[dot]com[dot]br> not traceable to the official domain of LIDL. This is definitely anomalous and should, at the very least, make us suspicious.. However, if we go ahead and click on the link provided here is what happens:
We are redirected to a landing page that, although graphically well designed (with misleading images and the authentic logo of LIDL) does not seem trustworthy at all.
In fact, the data entry form is hosted on the following anomalous address/domain that has no connection with LIDL:

"https[:]//[NomeDominioFake*]...''

When we analyze the landing page, we see an additional promotional message at the top of the page with the following:

"You can enter the Skill Game for a Lidl Gift Card 200 for free by clicking here, or you can purchase beresumebox.com without entering the Skill Game, by clicking here. If you participate via this campaign, you will enter the Skill Game and purchase a 4-day trial at a price of (€3.00) for beresumebox.com, after the trial you will be charged a subscription fee of (€54.00) every 14 days. To enter or to win the Skill Game you do not need to purchase beresumebox.com, a purchase will not increase your chance of winning the Skill Game. This campaign expires on 06/30/2025."

The pages hosting the data entry form however are hosted on an anomalous address/domain. The cybercriminals' purpose is to induce the victim to enter his/her sensitive data in order to win the LIDL gift card. Therefore, we expect that the victim will be asked to enter also his or her credit card information.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data are placed in the hands of cyber crooks who can use them at will.

February 14, 2025 ==> Phishing Account posta elettronica (Phishing Email Account)

SUBJECT:  <Password e-mail scaduta - xxxxxx> (Expired e-mail password– xxxxxx)
 
We analyze below the phishing attempt that aims to steal the credentials of the victim's e-mail account.

The message informs the recipient that the password associated with his/her e-mail account expires today. It then warns him that if no action is taken, "send and receive" services will be limited. It then invites him/her to proceed through the following link:

MANTIENI LA PASSWORD ATTUALE (KEEP YOUR CURRENT PASSWORD)

When we analyze the email we see that the message comes from an email address <support[at]ulka[dot]tv>  not traceable to the server that hosts the mailbox. This is definitely anomalous and should, at the very least, make us suspicious.

Anyone who unluckily clicks on the link, will be redirected to an anomalous WEB page, which is supposed to simulate the mailbox login page.

On this page the user is prompted to log in to his/her account entering  his/her mailbox password and then proceed to renew his/her account.

Actually the page where we are redirected to enter our e-mail account credentials is hosted on an anomalous address/domain:

  https[:]//[NomeDominioFake*].com/.....

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated, easily imaginable, risks.

February 12, 2025 ==> SCAM POLIZIA POSTALE (POSTAL POLICE SCAM)

«SUBJECT: <Verifica necessaria per contenuti visualizzati> (Verification required for displayed content)

Below is an attempt at SCAM, consisting of a fake summons for child pornography sent via email, ostensibly by the Postal Police and signed by some "Dr.Lamberto Giannini, Chief of Police and Director General of Public Security" . 

IIThe message, spread through a highly suspicious email <45717(at)aisa(dot)sch(dot)ae>, contains only a .jpg file named <Convocazione N°20245029.pdf>  (Convocation N°20245029.pdf). The attachment, which we see below, is laid out in a graphically deceptive way, and appears to be signed by Dr. Lamberto Giannini himself. The false complaint was issued because the victim, supposedly visited a child pornography site.

February 9, 2025 ==> SexTortion

We find again the SexTortion-themed SCAM campaign. L'e-mail The sender of this scam email claims to have access to the user's device. The purpose of the message is to blackmail the recipient demanding the payment of a sum of money, in Bitcoin, in order not to divulge, among his/her email and social contacts, a private video of him/her viewing adult sites.

The following is an extract from the text of the email on the side:

"Hello, I want to inform you of a very unpleasant situation for you. However, you may benefit from it if you act wisely. Have you ever heard of Hermit? It is a spyware program that gets installed on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messages, emails, call logs, etc. It works well on Android, iOS and Windows. PI think you've guessed where I'm going with this already. It has been a few months since I installed it on all your devices because you were not very careful about the links you clicked on on the Internet. During this time, I learned about every aspect of your private life, but one in particular caught my interest. I recorded many videos of you masturbating while watching highly controversial porn videos. Since the "questionable" genre is always the same, I can conclude that you have a sick perversion. I doubt that you would want friends, family and colleagues to know about it. However, I can do this with just a few clicks. Every number in your address book will suddenly receive these videos -- on WhatsApp, Telegram, Skype, email -- anywhere... Don't think you are an innocent victim
... I am a kind of God who sees everything. However, do not panic. As we know, God is merciful and forgiving, and so do I. But my mercy is not free..."  

Next the victim is asked to send 916 USD in Bitcoin to the wallet listed below: "bc1XXXXXXXXXXXXXXXXXXXXXX85p'.After receiving the transaction, all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives. The victim has 48 hours  to make the payment!

As of 11/02/2025, there are no transactions on the reported wallet.

In such cases we always urge you:

1. not to respond to these kinds of emails and not to open attachments or click unsafe links, and certainly NOT to send any money. You can safely ignore or delete them.
2. if the criminal reports an actual user’s password – usually it is a password obtained from public Leaks (compromised data theft) of official sites occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is recommended to change it and enable two-factor authentication on that service.

February 4, 2025 ==> Phishing BRT

«SUBJECT: < La tua spedizione : BRT8263569978 > (Your shipping : BRT8263569978)

Below is a new phishing attempt, hiding behind a false communication from BRT, concerning the delivery of a package.

The message notifies the unsuspecting recipient that his/her shipment is pending awaiting delivery instructions. It then informs him/her that in order to receive his/her package, he/she must confirm the payment of the delivery charge of 2.99€ . These messages are increasingly being used to scam consumers who more and more use e-commerce for their purchases.
The following link is given to complete the shipment:

Confermare (Confirm)