Over the weekend, a malicious malspam campaign abused compromised PEC accounts to target other Certified Email users. The messages demand 1305 euros and include a link to download an invoice, which could be phishing or malware. #ExciteIT #PEC
Keypoints
- Malicious campaign used compromised PEC accounts.
- Message demands payment of 1305 euros under threat of legal action.
- Includes a suspicious link to download an invoice.
- Link points to an old domain, Excite.it.
- No payload distributed, but basic authentication is required.
- Collaboration with PEC managers helped counter the campaign.
- Indicators of Compromise (IoC) were shared with accredited public administrations.
- Users are advised to verify payment requests for authenticity.
MITRE Techniques
- [T1566] Spearphishing Link β The communication includes a link to download an invoice that could be a phishing attempt or malware. βThe communication includes a link to download an invoice that could be a phishing attempt or malware.β
- [T1078] Valid Accounts β Exploitation of compromised PEC accounts to gain unauthorized access to systems. βutilizing some compromised PEC accounts to target other users of the Certified Email service.β
Indicators of Compromise
- [Domain]Excite.it β Link points to an old domain used in the campaign; main domain later blocked.
- [URL]Link to download an invoice β A link included in the message to download an invoice (exact URL not disclosed).