CERT-AGID identified new smishing campaigns abusing the INPS name to lure victims into a mobile-first fraud flow that ultimately steals credit card data for likely unauthorized charges. The activity intensified over four days with 14 campaigns across distinct domains, and technical analysis showed links to the Darcula Phishing-as-a-Service ecosystem. #INPS #CERTAGID #Darcula
Keypoints
- CERT-AGID detected new smishing campaigns impersonating INPS and referencing fake fuel subsidies.
- The SMS lures victims to click an external link that leads to a smartphone-only fraudulent site.
- The malicious flow mimics the INPS mobile layout and uses urgency with a fake 300 euro subsidy deadline of 16/05/2026.
- The first stage collects personal data such as full name, address, city, ZIP code, and phone number.
- The final stage is focused on payment card theft, requesting cardholder name, card number, expiry date, and CVV.
- Over four days, CERT-AGID observed 14 campaigns using distinct domains.
- Technical artifacts suggest a connection to the Darcula Phishing-as-a-Service platform, with obfuscated JavaScript and encrypted payload handling.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – Victims are induced to click a link in an SMS that leads to the fraudulent page [‘invita a seguire un collegamento esterno’ / ‘invites the recipient to follow an external link’]
- [T1657] Credentials from Password Stores – The campaign collects sensitive personal and payment information through a multi-step form, including card details [‘richiede nome del titolare, numero di carta di pagamento, data di scadenza e CVV’ / ‘requests the cardholder name, payment card number, expiration date, and CVV’]
- [T1027] Obfuscated Files or Information – The JavaScript files were obfuscated to hinder analysis [‘i file JavaScript osservati risultavano offuscati’ / ‘the observed JavaScript files were obfuscated’]
- [T1027.001] Binary Padding / Packing – The payload was concealed and later deobfuscated before analysis [‘Una volta deoffuscati, sono emersi riferimenti riconducibili all’ecosistema Darcula’ / ‘once deobfuscated, references attributable to the Darcula ecosystem emerged’]
- [T1041] Exfiltration Over C2 Channel – Stolen data was transmitted in POST requests, then encrypted and Base64-encoded before sending [‘il payload trasmesso nelle richieste POST è stato osservato in forma cifrata… e successivamente codificato in Base64 prima dell’invio’ / ‘the payload transmitted in POST requests was observed encrypted… and then Base64-encoded before sending’]
- [T1132.001] Data Encoding: Standard Encoding – The stolen data was encoded in Base64 prior to transmission [‘successivamente codificato in Base64 prima dell’invio’ / ‘subsequently encoded in Base64 before sending’]
- [T1552] Unsecured Credentials – The fraud aims to obtain cardholder and card data for misuse [‘focus sul furto dei dati delle carte di credito’ / ‘focus on stealing credit card data’]
Indicators of Compromise
- [Domains] Distinct malicious domains used across the 14 smishing campaigns – multiple unnamed domains, and 14 campaigns using separate domains
- [URLs] Mobile phishing page reached after clicking the SMS link – external link to a smartphone-only INPS lookalike site, and other landing pages
- [File names] Obfuscated JavaScript artifacts associated with the phishing kit – JavaScript files used in the fraudulent flow, and related deobfuscated scripts
- [Data fields] Personal-data collection forms on the phishing site – full name, address, city, ZIP code, phone number
- [Data fields] Payment-card collection form on the final page – cardholder name, card number, expiration date, CVV
- [Organizations] Entities targeted or notified during response – INPS, CERT-AGID
Read more: https://cert-agid.gov.it/news/smishing-a-tema-inps-falso-bonus-carburante/