Keypoints
- Phishing emails claim PEC account deactivation and urge users to click a link within 24 hours.
- Landing pages are created using Renderforest and then redirect users to pages hosted on Glitch.
- Users are shown a login popup that requests credentials for Legalmail or Aruba PEC services.
- Page source analysis shows a script that forwards submitted credentials to a Telegram bot controlled by the attackers.
- CERT-AgID published IoCs and provided a downloadable JSON with indicators for defenders and public administrations.
MITRE Techniques
- [T1566] Phishing – Attackers sent deceptive email messages that “warns of a supposed account deactivation request, to be completed within 24 hours, and suggests clicking on a link provided in the body of the message if it is considered an error.”
- [T1102] Use of Web Service – Phishing pages were hosted using third-party website builders/services: “‘Renderforest Website Builder’ service” and were “redirected to another page hosted on ‘Glitch’”.
- [T1530 / T1078] Credential Harvesting / Valid Accounts – A login popup solicits user credentials for PEC services (Legalmail or Aruba), enabling attackers to obtain valid account credentials: “‘users are shown a popup that prompts them to enter their login credentials.’”
- [T1041] Exfiltration Over Command and Control Channel – Stolen credentials are transmitted to the threat operators via Telegram: “a script is programmed to send them directly to a Telegram bot”.
- [T1204] User Execution / Social Engineering – The campaign relies on social-engineering to trick recipients into interacting with the link and submitting credentials: the message “suggests clicking on a link” and presents urgency to act within 24 hours.
Indicators of Compromise
- [Downloadable IoC JSON] CERT-AgID IoC feed – https://cert-agid.gov.it/wp-content/uploads/2024/04/phishing_pec_10-04-2024.json (downloadable list of URLs, domains, and other indicators)
- [Source page] Original advisory – https://cert-agid.gov.it/news/campagna-di-phishing-pec-credenziali-inoltrate-ad-un-bot-telegram/ (detection and contextual details)
- [Hosting services] Phishing landing hosts – use of Renderforest and Glitch as hosting platforms (examples mentioned in analysis; specific Glitch page URLs provided in IoC JSON), and other hosting artifacts in the IoC feed.
Attackers distributed phishing emails to PEC users claiming imminent account deactivation and providing a link that first lands on pages built via the Renderforest website builder and then redirects to pages hosted on Glitch. Those pages present service choices (Legalmail or Aruba) and ultimately display a popup login form that requests the user’s PEC credentials.
Analysis of the malicious page source shows an automated script that collects submitted credentials and forwards them to a Telegram bot controlled by the threat actors, turning Telegram into the exfiltration and C2 mechanism. CERT-AgID published the associated IoCs in a downloadable JSON (linked above) to support detection and blocking by administrators and security teams.
Defensive recommendations include blocking the listed URLs and domains from the IoC JSON, monitoring for authentication attempts from unfamiliar locations or devices to PEC services, and educating PEC users about phishing messages prompting urgent clicks or credential entry. Incident responders should consult the provided IoC feed for full indicators and correlate any suspected compromises with logs from authentication and email systems.
Read more: https://cert-agid.gov.it/news/campagna-di-phishing-pec-credenziali-inoltrate-ad-un-bot-telegram/