Many GitHub users are receiving alarming emails claiming a security vulnerability in their repositories. The emails, supposedly from the “GitHub Security Team,” direct users to a suspicious link that leads to malware distribution. The domain in question was registered recently and is linked to a malware called Lumma Stealer, which is designed to steal sensitive user information.…
Author: Italy-Cert-agid
Phishing Campaign Targeting Italian Banking Users via SPID
Read More
1. Short Summary:
A sophisticated phishing campaign has been reported to CERT-AGID, exploiting the SPID service to steal login credentials from users of various Italian banks. The fraudulent webpage mimics the AGID branding and prompts users to update their credentials to maintain access to online services requiring SPID authentication.…
Short Summary
Read More
On September 17, 2024, CERT-AGID issued a warning about a malspam campaign using PEC mailboxes, initially linked to the Italian domain Excite, which did not support any malicious payload. The campaign has since evolved, now utilizing an active domain that releases a JavaScript file leading to the installation of the Vidar malware.…
Short Summary
Read More
This weekend, a malicious campaign was identified and countered, utilizing compromised PEC accounts to target other users of the Certified Email service. The message, posing as a creditor, demands payment of 1305 euros and threatens legal action if not paid within five days. It includes a link to download an invoice, which may be a phishing attempt or malware.…
Short Summary
Read More
A third malicious campaign has been detected within a month, aimed at spreading the Vidar malware through compromised PEC emails sent to other PEC addresses. This wave of attacks features fraudulent communications urging payment of an alleged overdue invoice, threatening legal consequences for non-compliance.…
Short Summary
Read More
A new smishing campaign targeting INPS is underway, aiming to steal victims’ credit card information and personal data such as name, surname, and tax code. The tactics, techniques, and procedures (TTPs) are well-orchestrated, notably utilizing a Telegram bot for Command and Control, a practice more commonly seen in malware operations.…
Short Summary
Read More
A new wave of malspam targeting the Vidar malware has emerged, utilizing PEC emails to spread a malicious JavaScript file. The emails are designed to confirm the request comes from a Windows client before allowing the download. A Python script has been created to decode the JavaScript, which leads to the final payload.…
Short Summary
Read More
The CERT-AGID has issued an alert regarding a large-scale malspam campaign aimed at distributing the Quasar RAT malware. This campaign, which utilizes official logos from the Ministry of the Interior to deceive victims, was first identified on August 16, 2024. The malware targets users of specific Italian banks.…
Short Summary
Read More
This week, the StrRat malware has once again affected Italy. CERT-AGID has studied the new sample to provide a quick decoding tool for analysts. StrRat is a Remote Access Trojan (RAT) written in Java, primarily designed for information theft, featuring backdoor capabilities and a plugin architecture for complete remote access.…
This week, CERT-AGID found and analysed, in the Italian scenario of its reference, a total of 27 malicious campaigns , of which 21 with Italian objectives and 6 generic ones which nevertheless affected Italy, making available to its accredited bodies the related 305 indicators of compromise (IOC) identified.
Below we report the details of the typologies illustrated in the graphs, resulting from the data extracted from the CERT-AGID platforms and which can be consulted via the Statistics page .…
10/04/2024
Today a phishing campaign aimed at misappropriating credentials for access to Certified Email (PEC) mailboxes has emerged. This fraudulent operation is carried out through the sending of a deceptive email, intended for PEC mailbox users. The message warns of a supposed account deactivation request, to be completed within 24 hours, and suggests clicking on a link provided in the body of the message if it is considered an error.…
09/04/2024
Phishing home pageA sophisticated malicious campaign is currently underway, aimed at compromising Android devices in Italy through the SpyNote malware. This is disguised as the “INPS Mobile” application, available for download on a specifically created domain yesterday, with the aim of deceiving victims.
The phishing page, reported by D3lab to CERT-AGID, is carefully designed with logos and content that reproduce the official ones of the Institute.…
08/04/2024
As already highlighted and extensively documented in each of our weekly reports, since the beginning of the year there has been a significant increase in AgentTesla campaigns targeting Italy.
Just last week, CERT-AGID detected a particularly intense activity characterized by the use of PDF attachments.…
Email to spread AgentTesla
Read More
Recently, AgentTesla operators have strengthened their malspam campaigns in Italy, confirming the trend observed in recent months towards a greater use of PDF attachments. These documents contain links that, once used, initiate the download of files with malicious JavaScript code.
The email in question urgently urges the recipient to view the attached document in the communication.…
26/03/2024
Phishing EmailThe CERT-AgID has been informed of an active campaign targeting Public Administrations, aimed at stealing access credentials to MS Outlook email accounts.
The attackers, disguising themselves as HR departments or company accounting, are sending fraudulent emails promising salary adjustments or access to electronic pay slips, in an attempt to steal login credentials and other sensitive information.…
25/03/2024
Phishing pageThe CERT-AGID has detected the existence of a phishing page targeting users of Siatel v2.0 – PuntoFisco of the Revenue Agency, active online since the early afternoon of March 21, 2024.
Although it presents similarities with the campaign identified last year by the Revenue Agency, at the moment we do not have the email that prompts users to authenticate on the phishing page.…