Threat Research

New SPID-Themed Phishing Campaign Uses Google Sites

Italy-Cert-agid
New SPID-Themed Phishing Campaign Uses Google Sites

CERT-AGID has identified a SPID-themed phishing campaign that uses deceptive emails linking to a fake SPID portal hosted on Google Sites to collect personal and banking data. The fraudulent pages request names, addresses, contact details and IBANs; CERT-AGID requested takedown of the hosting site and distributed IoCs via its feed to accredited structures. #SPID #CERT-AGID #GoogleSites #AgID #DepartmentOfDigitalTransformation

Keypoints

  • Email phishing campaign impersonates SPID services and uses subject lines such as “Important: Confirm your SPID data” and “Verify request for your digital identity”.
  • The email contains a link to a fake SPID portal hosted on Google Sites that visually mimics the official SPID site and includes AgID and Department logos.
  • The fraudulent page prompts victims to enter personal information including full name, residence address, email, phone number and IBAN with bank selection.
  • Unlike prior campaigns, the site does not request account credentials after data submission, suggesting the collected data will be used for targeted fraud, identity theft, or resale.
  • CERT-AGID requested takedown of the hosting page and distributed Indicators of Compromise (IoCs) through its feed to accredited entities.
  • Users are advised to exercise caution with unexpected emails containing suspicious links and to verify communications before providing sensitive information.

MITRE Techniques

  • [T1566.002 ] Spearphishing Link – Attackers sent deceptive emails containing a link to a fraudulent SPID portal hosted on Google Sites to lure victims into submitting personal data (‘The link in the body of the email points to a fake SPID portal hosted on Google Sites.’).
  • [T1589 ] Gather Victim Identity Information – The phishing page solicited detailed personal and banking information (name, address, email, phone, IBAN) for use in targeted fraud or resale (‘The victim is invited to enter full name, residence address, email address, phone number and finally IBAN of their bank account.’).

Indicators of Compromise

  • [Email subjects ] Phishing lure examples used in campaign – “Important: Confirm your SPID data”, “Verify request for your digital identity”.
  • [Hosting / Domain ] Hosting service used for fraudulent portal – fake SPID portal hosted on Google Sites (Google Sites link used as hosting; specific URLs were removed and IoCs published via CERT-AGID feed).
  • [IoC distribution ] Incident reporting and IoC dissemination – IoCs were published and shared through the CERT-AGID feed (“Link: Download IoC” referenced for details).

Read more: https://cert-agid.gov.it/news/nuova-campagna-di-phishing-a-tema-spid-sfrutta-google-sites/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint