CERT-AGID identified new fraudulent campaigns abusing the name of SEND – Servizio Notifiche Digitali, with fake email and SMS alerts that impersonate PagoPA notifications to trick users into paying bogus traffic fines. The goal is to push victims to enter credit card details on malicious payment pages while CERT-AGID and PagoPA work to disable the domains and collect the related indicators of compromise. #SEND #PagoPA #CERT-AGID
Keypoints
- CERT-AGID found multiple new campaigns that fraudulently use the SEND – Servizio Notifiche Digitali brand.
- The messages are distributed via email and SMS and mimic common PagoPA notification phishing lures.
- Victims are prompted to pay alleged unpaid traffic fines through fake payment requests.
- The fraudulent pages use formal language, fake case numbers, amounts, and imminent deadlines to appear credible.
- The end goal is to capture users’ credit card information on a malicious website posing as a secure payment platform.
- CERT-AGID is coordinating with PagoPA security to rapidly take down malicious domains and catalog associated IoCs.
- Users are advised to verify URLs carefully, avoid sharing banking data through messages, and report suspicious content to [email protected] and [email protected].
MITRE Techniques
- [T1566.003 ] Phishing: Spearphishing via Service – The campaign uses fake SEND/PagoPA alerts delivered through email and SMS to lure victims into the fraudulent flow (‘messaggi, diffusi via email o SMS… si spacciano come notifiche della piattaforma pagoPA’).
- [T1598 ] Phishing for Information – The fake payment pages are designed to steal sensitive financial data, especially credit card details (‘indurre la vittima a inserire gli estremi della propria carta di credito’).
- [T1583.001 ] Acquire Infrastructure: Domains – Attackers rely on malicious domains hosting the fake payment site, which CERT-AGID works to disable (‘disattivazione dei domini malevoli’).
- [T1204.001 ] User Execution: Malicious Link – The attack depends on users clicking the message and following the redirect to the fraudulent site (‘controllare sempre con attenzione l’URL del sito a cui si viene reindirizzati’).
Indicators of Compromise
- [Email addresses ] Reporting contacts for suspicious messages – [email protected], [email protected]
- [Domains ] Malicious payment/phishing sites and related censored domains – malicious domains impersonating SEND/PagoPA, domains censiti nel mese di aprile
- [URLs ] Redirect targets used in the phishing flow – fake SEND payment page URL, malicious website URL
- [File names ] IoC package shared by CERT-AGID – Download IoC
Read more: https://cert-agid.gov.it/news/nuove-campagne-di-phishing-a-tema-send/