CERT-AGID identified multiple active phishing campaigns on different domains that impersonate the Italian Ministry of Health to steal citizens’ personal and payment data. The scams use a fake 2026 health card replacement notice and a staged payment funnel to collect identity and credit card details. #CERT-AGID #MinisteroDellaSalute #AgenziaDelleEntrate #PosteItaliane
Keypoints
- The campaigns impersonate the Italian Ministry of Health and target Italian citizens with fraudulent notices about mandatory health card replacement.
- The lure claims that cards issued before January 2023 must be replaced due to a new electronic health identification system.
- The phishing sites closely mimic official portals, using ministry logos, colors, FAQ sections, and fake protocol numbers to appear legitimate.
- Victims are guided through a multi-step data collection funnel requesting personal data such as name, tax code, ID document details, and phone number.
- The final stage asks for full credit card information, including card number, expiry date, and CVV, under claims of secure SSL-protected payment.
- The article states that legitimate health card renewal is automatic and free for eligible citizens, and never done through email or SMS links.
- CERT-AGID requested takedown of the malicious domains and shared the indicators of compromise with accredited entities.
MITRE Techniques
- [T1566.002 ] Spearphishing Link – Users are lured to fraudulent sites through deceptive messages and links tied to a fake health card notice [‘the procedures never happen through links sent via email or SMS’]
- [T1036 ] Masquerading – The sites imitate official Ministry of Health portals using logos, colors, FAQ sections, and fake protocol references [‘they faithfully imitate the graphic appearance of institutional portals’]
- [T1660 ] HTML Smuggling – The campaign uses staged web pages and forms to deliver the fraud workflow in-browser [‘the user is guided through a multi-step funnel’]
- [T1056.001 ] Input Capture: Keylogging – The phishing forms collect sensitive identity and payment inputs entered by the victim [‘requesting full credit card data’]
- [T1528 ] Steal Application Access Token – The fraudulent flow seeks to capture payment credentials and personal identifiers for unauthorized use [‘number card, expiry date, CVV’]
- [T1491.001 ] Defacement: Internal Defacement – The malicious pages imitate public institutional branding to present a false official look [‘logo and colors of the Ministry of Health’]
Indicators of Compromise
- [Domains] Multiple malicious domains hosting the phishing pages – several distinct domains, and other related domains
- [Web URLs] Phishing landing pages and payment forms – fake health card notice page, payment page, and other funnel pages
- [File names] IoC package referenced by CERT-AGID – Download IoC, and other shared IoC materials
Read more: https://cert-agid.gov.it/news/campagne-di-phishing-a-tema-sostituzione-tessera-sanitaria-in-corso/