Keypoints
- CERT-AGID detected a phishing page impersonating Siatel v2.0 (PuntoFisco) active since March 21, 2024.
- The phishing page collects login credentials (tax code and password) via a fake authentication form.
- After credential capture, victims are asked to complete or upload a photo of their Security Matrix tied to the account.
- Approximately 20 credential/security-matrix pairs were confirmed stolen beginning March 24, 2024.
- The Ministry of Economy and Finance CERT was notified, the abusive domain was reported to the registrar, and identified IoCs were shared.
- An IoC JSON file containing indicators related to the campaign is available for download from CERT-AgID.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – attackers hosted a fake authentication page to harvest credentials (‘phishing page targeting users of Siatel v2.0 – PuntoFisco… active online since the early afternoon of March 21, 2024.’).
- [T1583.001] Acquire Infrastructure: Domain Registration/Use – the campaign used an abusive domain to host the phishing site, which was reported to the registrar (‘The abuse of the domain has been reported to the competent Registrar’).
- [T1078] Valid Accounts – theft of legitimate login credentials and associated Security Matrices was confirmed, enabling potential unauthorized access to services (‘the theft of approximately 20 credentials and their corresponding security matrices’).
- [T1531] Account Discovery / Collection of Authentication Materials – attackers requested users to upload a photo of the Security Matrix to capture multi-factor authentication artifacts (‘attackers then prompt the completion or uploading of a photo of the Security Matrix’).
Indicators of Compromise
- [URL/Image] phishing page and images – https://cert-agid.gov.it/wp-content/uploads/2024/03/fake_puntofisico.png, https://cert-agid.gov.it/wp-content/uploads/2024/03/phishing_matrice_sicurezza.png
- [IoC JSON] published indicators file – https://cert-agid.gov.it/wp-content/uploads/2024/03/puntofisico-agenziaentrate_25-03-2024.json
- [Compromise count] stolen credentials and matrices – approx. 20 credential/matrix pairs (confirmed theft starting March 24, 2024)
CERT-AGID identified a phishing scheme impersonating the Siatel v2.0 (PuntoFisco) portal, active from March 21, 2024; the fake site presented an authentication form asking for tax code and password and then requested a photo upload of the user’s Security Matrix. The Security Matrix is specifically used for access to Punto Fisco, Anagrafe dei Rapporti, and Gestione Utenti di Punto Fisco, making those authentication artifacts valuable for lateral account takeover.
Investigators confirmed the compromise of roughly 20 account credential sets along with their associated security matrices beginning March 24, 2024. In response, CERT-MEF was notified, the abusive domain was reported to its registrar, and CERT-AgID disseminated the campaign’s IoCs (a downloadable JSON of identified indicators was published to support defensive actions by accredited public administrations).
Defensive guidance implied by the technical findings: treat any authentication prompts outside official PuntoFisco flows as malicious, block the reported URLs/domains from the IoC feed, and consider credential resets and matrix revocation for affected accounts. Administrators and incident responders should retrieve the published IoC JSON and apply it to perimeter filters, EDR/XDR, and identity-monitoring systems.